This site contains Angeles Broullon’s coding notes.

They mostly help me keep track of my current work, and help me clear my memory after intense projects. Most of what is stored here is related to Java, vanilla NodeJS and Python, but there is always room to learn more. Also check up the date of the note, as it may not be bleeding edge anymore: these are mostly a development diary.

This site is made with Hexo, and using the Hexo Next Theme. The Mermaidjs graphics are inserted using hexo-filter-mermaid-diagrams.

You are welcome to wander around and I hope you find something useful.

Cryptography basics

Cryptography involves high-level mathematics used for securing data.

• It is essential in various security practices like TLS, SSL, SSH, and email encryption.
• Encryption protects data in three states: in use, in transit, and at rest.

Key Concepts

• Encryption:

  • Symmetric Encryption: Uses a single key for both encryption and decryption.
    • Strength: High.
    • Challenge: Securely sharing the key.
  • Asymmetric Encryption: Uses a pair of keys (public and private).
    • Public Key: shared openly.
    • Private Key: kept secret.
    • Usage: the other side of communication encrypts with my public key and then I decrypt with my private key.

• Hashing: obfuscate data (like passwords) using algorithms.

  • Common algorithms: MD5, SHA-256, SHA-512.
  • Usage: hashes are one-way functions used to verify data integrity.

Ciphers

• Key-based ciphers:
  • Private key (Symmetric): Same key for encryption and decryption.
  • Public key (Asymmetric): Pair of public and private keys.
• Input-based ciphers:
  • Block ciphers: Encrypt data in fixed-size block (e.g. AES, Blowfish, Triple DES). Strong but slower. it uses an initialization vector and encrypts a block then it uses the encryption of that block to encrypt the next one (Block chaining).
  • Stream ciphers: Encrypt data one byte at a time (e.g. RC4). Faster but generally less secure than block ciphers.
• Substitution vs Transposition ciphers:
  • Substitution cipher: replaces each letter with another (e.g. Caesar Ciphe)r.
  • Transposition cipher: rearranges the positions of letters (e.g. Rail Fence Cipher).

Government Access to Keys (GAK)

• Governments may require access to encryption keys to monitor communications.
• Keys are securely stored and can be accessed with a court order.

Tools

• SSH Key Generation: create public and private keys using tools like ssh-keygen.
• OpenSSL: tool for generating keys and implementing various ciphers.

Crypto algorithms and implementations

Symmetric algorithms

• DES and Triple DES:
  • DES (Data Encryption Standard): adopted in 1977, officially retired in 2005. It’s still used in some industries, particularly the payment card industry.
  • Triple DES: an extension of DES, but with enhanced security. It’s being prohibited after 2023.
• RC Algorithms (RC4, RC5, RC6): these are symmetric key algorithms, each iteration being more secure than the previous one. RC4 is notably used in Kerberos.
• AES (Advanced Encryption Standard): a widely used symmetric algorithm, known for its strength and efficiency.
• Blowfish: Utilized in secure email encryption tools, backup software, and password management systems.

Asymmetric algorithms

• RSA (Rivest–Shamir–Adleman): uses a pair of keys (public and private). It is widely used for secure data transmission.
• Diffie-Hellman: another key exchange algorithm that allows secure sharing of cryptographic keys.

Hashing algorithms

• MD5: commonly used to verify data integrity. Though simple, it is still useful for non-critical applications.
• SHA (Secure Hash Algorithms): includes SHA-1, SHA-256, and SHA-512. Higher numbers indicate more complexity and security. SHA-256 is the current standard.
• RipeMD, HMAC: other notable hashing algorithms used in various applications for ensuring data integrity.

Digital signatures

Digital signatures use a combination of encryption and hashing. They ensure that a message:

• Comes from a verified sender (using the sender’s private key).
• Has not been altered (using a hashing algorithm like MD5 or SHA).

Hardware-based encryption

• TPM (Trusted Platform Module): a hardware chip that stores cryptographic keys and enhances security for features like BitLocker.
• USB Encryption: keys stored on a USB drive, used for secure data access.
• HSM (Hardware Security Module): a device for managing digital keys, providing both physical and logical protection.

Advanced encryption concepts

• Quantum encryption: leverages quantum mechanics to enhance cryptographic security.
• Elliptic Curve Cryptography (ECC): uses advanced algebraic equations to create shorter keys, enhancing efficiency without compromising security.
• Homomorphic Encryption: allows encrypted data to be processed without needing to decrypt it first, ensuring data remains secure even during processing.

Cryptography tools

• PGP (Pretty Good Privacy): a standard encryption mechanism, originally open-source, now owned by Broadcom Inc.
• GPG (GNU Privacy Guard): an open-source alternative to PGP, providing similar functionalities.

Using GPG

• Platforms: GPG can be used on various operating systems, including Linux, Windows (through GPG4Win), and others.

• Basic Commands:

  • Generating Keys: gpg --full-generate-key to create a new key pair.
  • Listing Keys: gpg --list-keys to display all keys.
  • Exporting Keys: gpg --armor --export <email> to export a key in ASCII format.
  • Importing Keys: gpg --import <keyfile> to import a key.
  • Encrypting Files:

    1	gpg --output doc.gpg --encrypt --recipient <recipient-email> doc.txt

  • Decrypting Files:

    1	gpg --output doc2.txt --decrypt doc.gpg

• Tools:

  • GPG for Linux: command-line based usage for key generation, key management, encryption, and decryption.
  • GPG4Win: a suite of tools for Windows, including Cleopatra for managing keys and GPGEX for encryption and decryption through the context menu.
  • BC Text Encoder: a simple tool for encoding and decoding text with a password or key, although its interface may not be very user-friendly.

Public key infrastructure

Introduction to PKI

• Definition: public Key Infrastructure (PKI) involves generating, creating, distributing, managing, and revoking digital certificates.
• Components: includes public keys, certificates, and the management of these elements.

PKI processes

• Certificate Authority (CA): issues, validates, and revokes certificates.
• Registration Authority (RA): pre-screens certificate requests and verifies requester identity before forwarding to the CA.
• Validation Authority (VA): validates digital certificates and manages the Certification Revocation List (CRL).

Using PKI

• Generating certificates: the process involves the subject (user or organization) applying for a certificate, RA verifying the request, CA issuing the certificate, and VA validating it.
• Certificate services: built into Windows Server, allowing for the management of certificates, including issuing, revoking, and handling certificate requests.

Practical Examples

• HTTPS websites: use certificates to establish secure connections.
• VPN connections: certificates can secure VPN tunnels using IPsec.
• User authentication: systems like Windows Server and Active Directory use certificates for user and device authentication.

Certificate Management

• Windows server certificate cervices: provides a management console to handle all certificate-related tasks, such as issuing, revoking, and managing certificate requests.
• Third-party CA services: organizations like VeriSign and DigiCert provide globally trusted certificates stored securely to prevent compromise.

Self-signed certificates

• Usage: suitable for internal organization use where the entities involved trust each other.
• Limitations: not ideal for public use as they are not recognized by external parties without explicit trust settings, potentially leading to security warnings.

Cryptanalysis

Study of cryptosystems to find exploitable weaknesses.

Methods of Cryptanalysis

1. Linear Method (Known Plain Text Attack):
   • Requires both encrypted and plaintext data.
   • Used to reverse engineer the decryption key.
   • Guessing common words or phrases can help in finding the plaintext.
2. Differential Method (Chosen Plain Text Attack):
   • Attacker defines the plaintext inputs and analyzes the results.
   • Aimed at discovering the encryption key by chosen inputs and outputs.
   • Similar to linear but more controlled since the plaintext is chosen.
3. Integral Method:
   • A specific type of differential attack.
   • Works with larger inputs, often used in block ciphers.

Code Breaking Techniques

1. Brute Force Attack: systematically tries all possible keys until the correct one is found. Extremely time-consuming.
2. Frequency Analysis: analyzes the frequency of letters or groups of letters in the ciphertext. Used to break substitution ciphers by matching frequencies to known patterns.

Additional attack types

1. Man-in-the-Middle Attack: the attacker intercepts and possibly alters the communication between two parties who believe they are directly communicating with each other.
2. Meet-in-the-Middle attack: Reduces the time to break ciphers using multiple keys. Involves known plaintext attacks from both sides of the encryption/decryption process.
3. Side channel attacks: exploits physical characteristics of the cryptosystem such as power usage, electromagnetic emissions, or audio emanations to gain information about the cryptosystem.
4. Hash collisions: occur when two different inputs produce the same hash output. Dangerous because it can allow unauthorized access if a different input produces a matching hash.
5. Related key attacks: exploits relationships between keys to uncover the key or data. Common in older encryption methods like WEP where keys are reused.
6. Rubber hose attack: a physical attack where secrets are extracted from a person through coercion or torture.

Tools for cryptanalysis

• Crack Station: An online tool for cracking hashed passwords. It supports various hash types including MD5, SHA-1, and others.
• CrypTool is a free, open-source e-learning application used in the implementation and analysis of cryptographic algorithms.

Crypto-attack Countermeasures

• Secure key sharing:
  • Protect private information by securely sharing keys to prevent unauthorized access.
  • Avoid common pitfalls like emailing keys, which can lead to compromise if intercepted.
• Symmetric vs. Asymmetric encryption:
  • Symmetric algorithms are stronger but require secure key sharing.
  • Asymmetric algorithms offer easier key management but may lack robust encryption.
  • Combining both types of encryption enhances security.
• Encryption strength:
  • Use encryption schemes with higher bit lengths for better security.
  • AES 256 and RSA are recommended due to their proven track record.
• Avoiding homegrown encryption:
  • Stick to established encryption methods like AES and RSA rather than creating custom systems.
  • Homegrown encryption lacks the vetting and community support of widely-used encryption standards.
• Avoid hard-Coded credentials:
  • Hard-coded keys pose a significant security risk, making it easy for attackers to reverse engineer and compromise systems.
  • Encrypt keys with passwords or passphrases to add an extra layer of security.
• Intrusion Detection Systems (IDS):
  • IDS can monitor key exchanges and detect suspicious activities like man-in-the-middle attacks.
  • Ensure IDS systems are robust and properly vetted to avoid security vulnerabilities.
• Key stretching:
  • Increase the length of keys to enhance security, similar to using longer passwords to resist brute-force attacks.
  • Key stretching techniques like PBKDF2 and bcrypt strengthen encryption by making it more difficult to crack.

Cloud computing basics

Cloud computing is integral to modern technology. The cloud is essentially “someone else’s computer.”

Types of cloud services

1. IaaS (Infrastructure as a Service)

   • Provides virtualized computing resources over the internet.
   • Users manage applications, data, runtime, middleware, and OS.
   • Providers manage virtualization, servers, storage, and networking.

2. PaaS (Platform as a Service)::

   • Offers hardware and software tools over the internet.
   • Users manage applications and data.
   • Providers handle runtime, middleware, OS, virtualization, servers, storage, and networking.

3. SaaS (Software as a Service):

   • Delivers software applications over the internet.
   • Providers manage all aspects of the service.
   • e.g. Google Suite (Gmail, Google Docs, etc.).

4. IDaaS (Identity as a Service):

   • Manages user identities and access.
   • Includes single sign-on (SSO) and multi-factor authentication (MFA).

5. SECaaS (Security as a Service):

   • Provides security services via the cloud.
   • Includes automated penetration testing, antivirus (AV), and endpoint detection and response (EDR).

6. CaaS (Container as a Service):

   • Offers container-based virtualization.
   • e.g. Amazon S3 buckets and other container services.

7. FaaS (Function as a Service):

   • Enables functions to be executed in the cloud.
   • e.g. AWS Lambda.

Responsibility areas

• On-premises: user is responsible for all aspects of infrastructure and software.
• IaaS: provider handles physical aspects and virtualization; user handles software and data.
• PaaS: provider manages everything except applications and data.
• SaaS: provider manages all aspects of the service.

Deployment models

1. Public cloud: services offered over the public internet and available to anyone.
2. Private cloud: sxclusive to a single organization, offering more control and security.
3. Community cloud: shared among multiple organizations with common concerns (e.g. Healthcare providers sharing infrastructure for secure data exchange).
4. Hybrid cloud: combination of public, private, and community cloud models.
5. Multi-cloud: utilizes services from multiple cloud providers for redundancy or specialized capabilities. Managed through a single interface by third-party brokers.

NIST cloud deployment reference architecture

1. Cloud consumer: end user or organization using the cloud service.
2. Cloud provider: entity providing cloud services.
3. Cloud carrier: enables network connectivity between consumers and providers.
4. Cloud broker: manages and integrates multiple cloud services for consumers.
5. Cloud auditor: conducts independent assessments of cloud implementations.

Cloud storage architecture

1. Front-end: user-facing interaction layer (e.g., APIs, web apps).
2. Back-end: physical hardware (servers, networking).
3. Middleware: handles data deduplication, replication, and storage efficiency.

Categories of cloud brokers

1. Service Intermediation

   • Description: Enhances an existing service by improving specific capabilities.
   • Example: A broker might add security features to a basic cloud storage service, providing encryption and access control that the original service lacks.

2. Service Aggregation

   • Description: Combines multiple services into one unified service. It handles data integration and ensures the services work together seamlessly.
   • Example: A broker could integrate cloud storage from one provider, computing power from another, and database services from a third into a single package.

3. Service Arbitrage

   • Description: Provides flexibility in choosing services from multiple providers based on current conditions and requirements. The broker evaluates and selects the best options dynamically.
   • Example: A broker might switch between cloud providers for the best price or performance for a specific task, such as shifting from AWS to Azure if Azure offers a better rate or performance for a given workload.

Container basics

A container is a portable software package that includes everything needed to run an application, such as configuration files, libraries, and dependencies. This ensures consistency, scalability, and cost-effectiveness. They simplify the development process by providing predefined environments, reducing setup time, and ensuring applications run consistently across different platforms.

Five-tier container architecture (as defined by EC-Council)

1. Developer Machines:

   • Used for image creation, testing, and accreditation.
   • Ensures the image is ready for use.

2. Testing and Accreditation Systems:

   • Verifies and validates image contents.
   • Signs the images for integrity and readiness.

3. Registries:

   • Stores container images.
   • Supports image delivery via orchestration software.

4. Orchestrators:

   • Transforms images into containers and deploys them.
   • Manages large-scale container deployments programmatically.

5. Hosts: operate and manage containers based on orchestrator instructions.

Key terms and concepts

• Docker:

  • A leading platform for building, deploying, and managing containerized applications.
  • Features:
    • Docker Images: Base templates for creating containers.
    • Docker Daemon: Manages Docker objects and handles API requests.
    • Docker Registry (e.g., Docker Hub): Repository for official and custom container images.
    • Docker Files: Text files with commands for creating container images.

• Orchestration:

  • Automates the container lifecycle, including:
    • Provisioning and deployment.
    • Resource allocation and scaling.
    • Security and monitoring.
  • Popular tools: Kubernetes, OpenShift, Docker Swarm, Ansible.

Security Challenges in Containerization

1. Untrusted images:
   • Public containers may contain outdated software or vulnerabilities.
   • Perform thorough checks before deployment.
2. Container breakout:
   • Attackers may exploit vulnerabilities to escape the container and access the host system.
   • Running containers as root increases risks.
3. Insecure secrets: API keys, usernames, and passwords stored insecurely in containers can be exploited.
4. Noisy neighbor: a container consuming excessive host resources can cause other containers to fail.
5. Vulnerable source code: containers used for testing may expose organizations to attacks if insecure code is deployed.

Hacking cloud services

Cloud vulnerability scanning

• Purpose: Identifies security weaknesses in cloud-specific configurations, not just OS or application vulnerabilities.
• Focus Areas:
  • Cloud misconfigurations (e.g., AWS, Azure).
  • Vulnerable containers and container images.
  • Sensitive information leaks and insecure practices.

Tools for Cloud Security Scanning

1. Trivy: comprehensive security scanner for container images, Git repositories, virtual machine images, Kubernetes, and AWS. Detects CVEs, IAC issues, sensitive information leaks, and software license violations.
2. Clair: open-source tool for static analysis of vulnerabilities in application containers (OCI and Docker).
3. DAGDA: performs static analysis for known vulnerabilities, malware, and anomalous activities in Docker images/containers.
4. Paloalto Prisma (previously Twistlock): cloud-native cybersecurity platform for full lifecycle security in containerized environments and cloud-native applications.
5. Sysdig: focuses on Kubernetes security, enumerating key storage, API objects, configuration files, and open ports.

S3 Discovery and Enumeration

• Common issues:
  • Publicly readable buckets exposing sensitive data (keys, credentials, private files).
  • Incorrect permissions allowing unauthorized access.
• Tools:
  • Grey Hat Warfarehttps://grayhatwarfare.com/: Enumerates open S3 buckets and their contents.
  • S3 Scanner: Command-line tool for identifying open buckets.
  • Bucket Kicker: Identifies and inspects accessible buckets.
• Manual methods:
  • Checking source code for S3 bucket URLs.
  • Using brute-forcing techniques with tools like Burp Suite or custom scripts.

AWS privilege escalation techniques

• Metadata service exploitation:

  • Access through SSRF vulnerabilities using the special IP 169.254.169.254.
  • Gaining credentials (access key, secret key, session token) from security-credentials.

• IAM role misconfigurations:

  • Exploiting overly permissive IAM roles to escalate privileges.
  • Identifying unused or improperly configured roles using AWS CLI.

• Key discovery:

  • Searching GitHub or forums for leaked keys and credentials.
  • Leveraging AWS CLI for detailed role and key analysis.

• Public AMIs: downloading and analyzing shared AMIs for sensitive information.

Pentesting AWS environments

• Tools:
  • Pakku: framework for AWS penetration testing, automating enumeration and misconfiguration analysis.
  • Cloud Goat: creates an insecure AWS environment for testing.
• Focus Areas:
  • IAM role analysis and misconfiguration.
  • Privilege escalation through found keys or roles.
  • Metadata service abuse.

Key security concerns

1. Publicly Accessible Resources: public buckets and AMIs exposing sensitive data.
2. IAM Misconfigurations: roles with excessive permissions or improper restrictions.
3. Metadata Service Exploits: using SSRF vulnerabilities to gain access to AWS credentials.

Cloud security controls

Measures implemented to enhance the security of cloud systems.

Categories

• Standard Security Controls: traditional measures applicable to cloud environments.
• Cloud-Specific Security Controls: tailored measures for cloud systems.

Standard security controls

1. Secure Software Development Lifecycle (SDLC):
   • Prevent flaws in cloud-hosted applications and APIs.
   • Example: Avoid leaking AWS credentials.
2. Patching and updates:
   • Ensure operating systems, applications, and infrastructure are up-to-date.
   • Prevent exploitation of known vulnerabilities (e.g., EternalBlue).
3. Change default configurations: avoid using default credentials or settings.
4. Firewalls and intrusion detection/prevention: use tools like IDS, IPS, and WAF for monitoring and defense.
5. Logging and monitoring: track activity to detect anomalies and respond quickly.
6. Denial-of-Service mitigation: use devices or services to prevent DoS/DDoS attacks.
7. Encryption: rncrypt sensitive data at rest and in transit.
8. Endpoint Protection: feploy antivirus and EDR solutions.

Cloud-specific security controls

1. S3 Bucket Permissions:
   • Ensure correct access controls for S3 buckets.
   • Enable features like default encryption and versioning.
2. Docker Security Best Practices (via OWASP):
   • Use trusted Docker images.
   • Limit container capabilities and use “no new privileges” flags.
   • Disable inter-container communication when unnecessary.
   • Run Docker in rootless mode.
3. Kubernetes Security Best Practices:
   • Keep Kubernetes up-to-date.
   • Restrict API access using namespaces and network policies.
   • Conduct regular security audits.

Tools for cloud security

1. Qualys: cloud vulnerability scanning and security assessments.
2. Prisma cloud: cloud-native application protection platform by Palo Alto Networks.
3. Aqua Sscurity: protects workloads, cloud platforms, and Kubernetes deployments.
4. Tenable: comprehensive tools for cloud and on-prem vulnerability management.
5. Kubebench: open-source tool for checking Kubernetes deployment security against CIS benchmarks.
6. Sumo logic: provides observability and security analytics for cloud deployments.

IoT Basics

Connecting everyday objects and systems to networks to make them globally available and interactive.

Components of IoT

1. Things: everyday devices like refrigerators, washing machines, sensors, cameras, and network devices connected to the internet.
2. Gateway: connects IoT devices to each other, end users, or the cloud.
3. Cloud Server: stores and processes IoT data, making it available for consumption.
4. Remote Apps: interface for users to connect and manage IoT devices, often via smartphones or laptops.

Types

• Consumer IoT: devices like smart refrigerators, washing machines, IP cameras, and routers.
• Industrial IoT: sensors for monitoring industrial processes, pressure, heat, fluid flow, etc.

IoT architecture

1. Edge Technology: IoT hardware components.
2. Access Gateway: allows communication between different IoT technologies.
3. Internet layer: IP-based communication for IoT devices.
4. Middleware: services running in the background to support the application layer.
5. Application Layer: end-user interface for interacting with IoT devices.

IoT applications

• Healthcare: heart monitors, medical sensors.
• Military: monitoring and control systems for military equipment.
• IT: environmental monitoring of server rooms.
• Transportation: tire pressure sensors, traffic monitoring.
• Energy: monitoring and control in power plants, solar, hydroelectric.

Communication technologies and protocols

• Common technologies:: Wi-Fi, RFID, ZigBee, LTE, LP WAN, SigFox, Ethernet.
• Operating Systems: embed OS, Windows 10 IoT, Contiki NG, Ubuntu Core.

Communication models

1. Device to Device: direct communication between two devices.
2. Device to Cloud: devices communicate with the app service provider.
3. Device to Gateway: devices communicate with an IoT gateway which then connects to the app service provider.
4. Backend Data Sharing: device communicates with multiple app service providers.

Security challenges

No or weak security, poor access control, vulnerable web applications, clear text communications, lack of support, physical theft.

IoT threats and vulnerabilities

OWASP Top 10 IoT Threats

1. Weak, guessable, or hard-coded passwords: easily guessed or hard-coded credentials pose significant security risks.
2. Insecure network services: services that lack encryption and other security measures are vulnerable to attacks.
3. Insecure ecosystem interfaces: includes web applications, APIs, and other components that interact with the device.
4. Lack of secure update mechanism: firmware updates without secure methods can be exploited for attacks.
5. Use of insecure or outdated components: deprecated or insecure software components can be compromised.
6. Insufficient privacy protection: user data must be stored and transmitted securely to protect privacy.
7. Insecure data transfer and storage: sensitive data should be encrypted during transfer and storage.
8. Lack of device management: poor management interfaces can lead to security lapses.
9. Insecure default settings: default settings like “admin/admin” for username and password should be avoided.
10. Lack of physical hardening: physical access to the device can lead to its compromise.

IoT Attack Surfaces

1. Physical interfaces: ports and physical connections on the device that can be exploited.
2. Firmware: vulnerabilities in the firmware can be exploited through updates.
3. Network traffic: unencrypted communications can be intercepted.
4. Vendor and third-party APIs: APIs must be secure to prevent unauthorized access.
5. Local Storage: data stored on the device should be protected.
6. Mobile applications: security weaknesses in associated mobile apps can be exploited.

Additional IoT vulnerabilities

• MFA/2FA: implementing multi-factor authentication to enhance security.
• Lockout policies: prevent brute force attacks by locking accounts after several failed attempts.
• DDoS protection: devices should be protected against denial-of-service attacks.
• Regular updates and patches: ensure timely updates to address vulnerabilities.
• Insecure third-party components: ensure third-party components are secure.
• Hardware access ports: secure physical ports like JTAGs and UARTs to prevent unauthorized access.

IoT attacks tools and countermeasures

Hardware Tools

• JTagulator: used for identifying JTAG interface pins.
• UART TTL to USB Device: connects UART to USB, enabling device communication.
• Bus Pirate: interfaces with hardware devices for testing and debugging.
• SOIC Clip: connects to integrated circuits for direct interaction.
• CR232 to USB Adapter: interfaces with Serial Peripheral Interface (SPI) chips.

Software Tools

• Shodan: searches for internet-connected devices and identifies vulnerabilities.
• Censys and Thingful: similar to Shodan for identifying and analyzing IoT devices.
• Wireshark/TCPDump: network protocol analyzers for monitoring network traffic.
• Burp Suite/OWASP ZAP: web application security testing tools.
• GNU Radio/RTL-SDR: software and hardware for software-defined radio (SDR) applications.

Unique IoT Attacks

• HVAC attacks: exploiting web-managed heating, ventilation, and air conditioning systems.
• Rolling Code attacks: intercepting and predicting codes used in key fobs.
• Bluetooth attacks: exploits like BlueBorne and Bluejacking.
• DDoS via jamming: overwhelming IoT devices’ communication channels.
• Sybil attack: overloading systems with false identities, e.g., causing traffic jams via manipulated GPS data.

OT basics

Operational Technology (OT):

• Technologies used in manufacturing, energy, and critical infrastructure.
• Involves managing, monitoring, and controlling industrial systems and operations.
• Companies like Siemens, Schneider Electric, and Allen Bradley are prominent OT manufacturers.

Components and systems:

1. ICS (Industrial Control Systems):

   • Systems that control industrial processes.
   • e.g. Control systems in a power plant.

2. SCADA (Supervisory Control and Data Acquisition):

   • Gathers and presents data to operators.
   • Operators use this data to make decisions and control processes.

3. DCS (Distributed Control Systems): focuses on automation and process control with minimal operator interaction.

4. PLCs (Programmable Logic Controllers):

   • Physical devices that control machinery and processes.
   • e.g. A PLC could control a valve or a pump in a manufacturing process.

5. RTUs (Remote Terminal Units):

   • Similar to PLCs but more robust and suitable for harsh environments.
   • Often have better environmental tolerances and higher autonomy.

6. BPCS (Basic Process Control Systems):

   • Ensures operator decisions are implemented in the physical processes.
   • Receives information and makes sure actions are executed.

7. SIS (Safety Instrumented Systems):

   • Ensures safety by automatically handling anomalies and emergencies.
   • Example: Shutting off power to prevent explosions.

8. HMI (Human Machine Interface):

   • Interface through which operators interact with OT devices.
   • Often touchscreen-based for ease of use.

9. IED (Intelligent Electronic Devices):

   • Devices that receive data and issue control commands.
   • e.g. Tripping a breaker during a voltage anomaly.

10. IIoT (Industrial Internet of Things):

    • Integration of IT and OT.
    • Connects traditional OT systems to IT networks for enhanced management.

Security Challenges:

• Plain rext protocols: many OT protocols are not encrypted.
• Complexity: high complexity can make security management difficult.
• Proprietary and legacy technology: hard to secure due to outdated systems and proprietary designs.
• Convergence issues: combining IT and OT brings IT security vulnerabilities into OT environments.

OT attacks tools and countermeasures

Vulnerabilities

1. Interconnected systems: often connected to the internet for remote access, exposing them to external threats.
2. Missing/non-existent updates: lack of regular updates due to perceived isolation, increasing vulnerability.
3. Weak passwords/no authentication: often overlooked as systems were initially isolated.
4. Weak firewall rules: inadequate firewall configurations, leading to security breaches.
5. Non-existent network segmentation: flat networks without segmentation make it easier for attackers to access the entire system.
6. Weak/non-existent encryption: lack of encryption due to a false sense of security.

Threats

1. Malware: can be introduced via removable media, external hardware, web applications, and end-user devices.
2. Denial of Service (DoS/DDoS) attacks: can disrupt critical services, leading to indirect human life risks.
3. Sensitive data exposure: breaches leading to exposure of critical operational data.
4. HMI-based attacks: exploiting human-machine interfaces through software vulnerabilities or physical access.
5. Human rrror: programming or configuration errors, physical mishandling of equipment.
6. Side channel attacks: exploiting physical aspects like timing, power consumption, and electromagnetic emanations.
7. Radio Frequency (RF) attacks: capturing or injecting RF signals to manipulate or gain access to OT systems.

Tools

1. Shodan: search engine for internet-connected devices, useful for identifying vulnerable OT systems.
2. Search Diggity: suite of tools for searching and analyzing potential attack vectors via search engines.
3. S7 Scan: python tool for scanning and enumerating Siemens PLCs.
4. PLC Scan: scans PLC devices over S7 or Modbus protocols.
5. SmartRF Studio: Texas Instruments tool for evaluating and debugging RF systems.
6. Industrial Exploitation Framework (ISF): dramework similar to Metasploit for exploiting vulnerabilities in ICS and SCADA systems.

Countermeasures

• Regular updates and patches: ensure systems are regularly updated to mitigate known vulnerabilities.
• Strong authentication: implement strong passwords and multi-factor authentication.
• Robust firewall configurations: Set up and regularly review firewall rules.
• Network segmentation: divide networks into segments to limit access and contain breaches.
• Encryption: use strong encryption for data in transit and at rest.
• User training: educate users on best security practices and potential risks.
• Monitoring and auditing: continuously monitor systems and conduct regular security audits.
• Incident response planning: develop and regularly update an incident response plan.

Mobile security basics

Mobile devices have multiple entry points for attackers due to their extensive functionality and connectivity.

Surfaces

1. Operating Systems: vulnerable to outdated patches. Regular updates are essential to address security flaws.
2. Applications: third-party or malicious apps can exploit devices. Even official app stores occasionally host compromised apps.
3. Bluetooth: susceptible to attacks like Bluejacking, Bluesnarfing, Bluebugging, and BlueBorne. Older specifications lack encryption and authentication.
4. Wi-Fi: subject to common wireless threats (e.g., Evil Twin, Honeypot attacks). Devices on public Wi-Fi are particularly vulnerable.
5. Telco (Cellular Networks): outdated protocols like SS7 allow attackers to eavesdrop on calls, intercept messages, and perform billing fraud.
6. Web Browsing: exposed to client-side attacks like Cross-Site Scripting (XSS), drive-by downloads, and clickjacking.

Threats and Vulnerabilities

• Malware:

  • Overview: malware targets all devices, including mobile.
  • Examples: malicious APKs, spyware apps.
  • Prevention: regular updates, antivirus tools, and avoiding third-party app stores.

• SIM hijacking:

  • Mechanism:
    • Attackers hijack SIMs to intercept 2FA messages and calls.
    • Insider threats may involve telecom employees.
  • Impact: Compromises sensitive accounts and communication.

• App Store threats:

  • Official stores: even trusted platforms like Google Play and Apple App Store can host malicious apps.
  • Third-party stores: apps from third-party sources like FDroid require careful vetting.
  • Mitigation: stick to official app stores and minimize app installs.

• Encryption weaknesses:

  • Unencrypted communication: SMS and certain apps lack encryption.
  • Weak Encryption: devices using outdated protocols are vulnerable.
  • Recommendations: use apps with end-to-end encryption like Signal or WhatsApp. Ensure devices utilize strong encryption protocols.

• Theft and physical access:

• Risks: unlocked or poorly secured devices can lead to unauthorized access.

• Mitigation: enable auto-lock features with strong passwords or biometrics. Use remote wipe capabilities.

OWASP Mobile Top 10 Risks:
The OWASP Mobile Top 10 outlines common mobile security risks:

1. Improper Platform Usage: Misuse of OS features.
2. Insecure Data Storage: Storing sensitive data unencrypted.
3. Insecure Communication: Lack of encrypted channels.
4. Insecure Authentication: Weak login mechanisms.
5. Insufficient Cryptography: Poor implementation of encryption.
6. Insecure Authorization: Allowing unauthorized access.
7. Client Code Quality Issues: Vulnerable application code.
8. Code Tampering: Modified or malicious apps.
9. Reverse Engineering: Attackers decompiling apps to exploit vulnerabilities.
10. Extraneous Functionality: Exposing debug or test features in production.

General security guidelines

1. Keep devices updated: install patches and updates promptly.
2. Use antivirus software: detect and mitigate malware.
3. Enable encryption: encrypt device storage and external media.
4. Minimize app installs: only install necessary and verified apps.
5. Disable unused features: turn off Bluetooth, Wi-Fi, and location services when not needed.
6. Secure communication: use apps with end-to-end encryption.
7. Be cautious of public networks: avoid public Wi-Fi or use VPNs for secure connections.
8. Monitor device activity: look for suspicious behavior and unauthorized access.

Additional risks and considerations:

• Sandbox bypass: Mobile devices may be susceptible to sandbox bypass or escape, allowing malicious actors to evade security measures and compromise device integrity.
• Sim hijacking: Attackers can hijack SIM cards to intercept SMS messages, phone calls, and two-factor authentication (2FA) codes, compromising device security.
• Mobile spam and phishing: Mobile users are vulnerable to spam and phishing attacks via SMS (smishing) and voice calls (vishing), which aim to deceive users into disclosing sensitive information.
• NSO group and Pegasus: Organizations like the NSO Group develop sophisticated malware like Pegasus, targeting mobile devices to infiltrate communications and compromise device security.

Android security

Android basic features:

• Popularity:
  • Android powers approximately three out of four mobile devices worldwide.
  • Dominates the smartphone and tablet markets due to its open-source nature and affordability.
• Development:
  • Created by Google and based on Linux.
  • Open-source and customizable, allowing manufacturers to adapt the OS for various devices.
• Device administration:
  • Android supports app development via tools like Android Studio.
  • Deprecation of some administrative policies; developers should keep up-to-date with Android API changes.

Rooting

• Definition:
  • Rooting grants administrative (root) access, bypassing built-in security restrictions.
  • Similar to jailbreaking on iOS, but specific to Android.
• Benefits:
  • Bypass restrictions: Install apps from external sources and enable tethering.
  • Remove bloatware: Delete pre-installed apps that consume resources.
  • Customization: Modify the OS and install custom ROMs.
• Risks:
  • Security vulnerabilities: Increased risk of malware through third-party apps.
  • Warranty void: Rooting typically voids the manufacturer’s warranty.
  • Bricking: Improper rooting can render the device inoperable.

Rooting tools

• Popular tools:
  • Kingo root
  • King root
  • Towel root
  • One-click root: known for its ease of use.
• Requirements: enable USB Debugging Mode on the device, and follow tutorials specific to the device model.

Hacking Tools

• Drozer: vulnerability scanner.
• zanti-zscan: mobile penetration testing toolkit by Zimperium.
• Kali NetHunter: a mobile penetration testing platform that doesn’t require rooting.
• DroidSheep: intercept unprotected web sessions (requires rooting).
• C-Sploit: a Metasploit-like tool for Android.
• ADB (Android Debug Bridge): enables shell access for debugging and app management.

Security measures

1. Avoid rooting: retain built-in security protections.
2. Use strong screen locks: secure devices with PINs, passwords, or biometrics.
3. Install apps from trusted sources: only download from Google Play to avoid malicious APKs.
4. Install antivirus and anti-malware: e.g. AVG, Avast, Norton, Bitdefender.
5. Keep the OS updated: regular updates fix vulnerabilities and improve security.
6. Avoid public WiFi: use VPNs for secure connections when necessary.
7. Enable location services: helps track and recover lost devices.
8. Beware of smishing: treat suspicious text messages with caution and avoid clicking unknown links.
9. Disable unused features: turn off WiFi, Bluetooth, and location services when not in use.

iOS security

Developed by Apple, iOS powers iPhones and iPad. It was released in 2007, initiating the smartphone revolution. Renowned for its smooth performance, advanced hardware, and secure ecosystem. Among it’s security features are:

• Secure boot: ensures only authorized boot processes occur.
• Biometric authentication: Face ID, Touch ID.
• Passcodes: adds another layer of security.
• Code signing: requires apps to pass stringent Apple code reviews.
• Sandboxing: isolates apps to prevent unauthorized access to system resources.

Jailbreaking

• Definition: bypassing iOS restrictions to gain root-level access and remove sandboxing. It is similar to rooting on Android devices.

• Advantages:

  • Install third-party or unsigned apps.
  • Full customization of the device.

• Disadvantages:

  • Increased risk of malware and malicious apps.
  • Voids warranty and may brick the device.
  • Compromises built-in security measures.

• Types:

  1. Tethered: requires the device to be connected to a computer to boot in a jailbroken state.
  2. Semi-Tethered: boots normally but requires a computer to reapply the jailbreak for functionality.
  3. Untethered: device remains jailbroken even after reboots.
  4. Semi-Untethered: similar to semi-tethered but allows patching directly from the device without a computer.

• Tools:

  • Hexxa/Hexxa Plus: Popular jailbreaking tools.
  • Numerous tutorials and tools are available online for jailbreaking.

iOS-Specific Security Threats

1. Trust jacking:
   • Exploits the “Trust This Device” feature during iTunes sync over WiFi.
   • Allows attackers remote access to sensitive data.
2. iOS malware:
   • Includes threats like Pegasus and spyware tools.
   • Targets high-profile users and exploits zero-day vulnerabilities.
3. Hacking Tools:
   • Apps like Network Analyzer Pro can gather network information.
   • Tools like Elcomsoft Phone Breaker can access encrypted backups and iCloud data.

Security Measures for iOS Devices

1. Avoid jailbreaking: retain built-in security protections.
2. Enable screen locks: use Face ID, Touch ID, or strong PINs.
3. Install trusted apps: avoid sideloading apps or downloading from unverified sources.
4. Regular updates: apply patches and updates as soon as they are available.
5. Use VPNs: encrypt data during network transmission.
6. Disable unused features: turn off WiFi, Bluetooth, and location services when not in use.
7. Enable “Find my iPhone”: track your device if lost or stolen.
8. Use a password manager: avoid weak or reused passwords.
9. Install mobile security suites: e.g. Trend Micro, Norton, or Bitdefender.
10. Avoid public WiFi: minimize exposure to untrusted networks.

iOS Hacking Tools

• Network Analyzer Pro: for information gathering.
• Trustjacking: exploiting the trusted device feature to access the device remotely (juicejacking is done via compromised cable on port).
• Malware Examples: Pegasus, developed by the NSO Group, used for espionage.

Mobile device management

Mobile Device Management (MDM)

• Definition: software solution allowing administrators to manage and secure mobile devices across various operating systems (e.g., Android, iOS, Windows, Chrome OS).
• Capabilities:
  • Authentication enforcement: require passcodes or biometric authentication.
  • Remote actions: lock or wipe lost/stolen devices.
  • Root/Jailbreak detection: flag compromised devices for security.
  • Policy enforcement: apply security rules (e.g., app restrictions, password policies).
  • Inventory tracking: monitor devices as part of organizational assets.
  • Real-Time monitoring: generate alerts for compliance and security issues.
• Examples of MDM Solutions:
  • ManageEngine Mobile Device Manager Plus: supports cloud or on-premises deployment which manages devices running Android, iOS, macOS, Windows, and Chrome OS.
  • IBM Maas360 with Watson: cloud-based mobility management solution, which integrates with AI-driven insights for enhanced device security.

Bring Your Own Device (BYOD)

• Definition: employees use personal devices for work-related tasks.
• Benefits:
  • Increased productivity: employees can work on familiar devices.
  • Flexibility: access business resources anytime, anywhere.
  • Cost savings: reduces organizational expenditure on devices.
  • Employee satisfaction: allows use of preferred devices.
• Risks:
  • Diverse cevices: increased attack surface for IT and security teams.
  • Data co-mingling: personal and business data coexist, complicating security.
  • Unsecured networks: users may connect to insecure Wi-Fi.
  • Device disposal: improper disposal could expose sensitive data.
  • Lost/Stolen devices: high potential for data breaches.
  • Policy circumvention: users may bypass corporate restrictions (e.g., use cellular networks to access restricted sites).

BYOD Policies

1. Secure environment: require secure passwords and full-disk encryption. Implement device health checks before granting access.
2. Standardized technology: approve a list of supported hardware, software, and apps.
3. Policy documentation: publish and disseminate clear guidelines on acceptable use.
4. Local storage and removable media control: define what data can be stored locally or on external drives.
5. Network Access Control (NAC): use NAC to assess and allow device connections based on compliance.
6. Web and messaging security: enforce secure communication and browsing practices.
7. Data Loss Prevention (DLP): apply measures to prevent unauthorized data sharing or exfiltration.

General Security Guidelines for Mobile Devices

1. Use antivirus and anti-spyware: e.g. Norton, Bitdefender, or Trend Micro.
2. Restrict app installs: avoid unnecessary or suspicious apps.
3. No sideloading, jailbreaking, or rooting: prevent actions that compromise built-in security.
4. Remote wipe capabilities: ensure sensitive data can be securely deleted from lost devices.
5. Enable disk encryption: protect data in case of device theft.
6. Apply regular updates and patches: keep the OS and apps current to mitigate vulnerabilities.
7. Secure network connections: avoid public Wi-Fi or use VPNs for encrypted access.
8. Educate users: train employees on secure usage and recognizing phishing (e.g., smishing).