CIT-273 Ethical Hacking
Tuesday, March 29, 2016
OS Vulnerabilities
Note: This will be a verbally delivered briefing at 2:30 PM
For purposes of this discussion, we are defining an “OS Vulnerability” to be a weakness in a computer system in which the hardware itself, nor the applications on the computer are part of an initial penetrations. While an application can be attacked after an OS attack or penetration is made, and a hardware weakness can be attacked of exploited in order to perform an OS based attack, this briefing will involve mere attacks and vulnerabilities of the OPERATING SYSTEM itself.
Virtually every Operating System has flaws of weaknesses, and these weaknesses can be exploited by hackers at various levels to permit remote exploitation and penetration of the computer.
An Operating System is the intersection or nexus between the computer hardware and the applications that make the hardware perform useful tasks.
Microsoft Word, Excel, and PowerPoint are all examples of computer applications that perform useful tasks.
Microsoft Windows, Linux, MacOS, iOS are operating systems that run on hardware.
Hardware has an extremely wide definition, and quite often the hardware is operating system independent where hardware originally designed to run Windows can be tweaked to run MacOS or Linux.
Hardware tend to be vulnerable to heat, moisture, and power variations; Operating Systems on the other hand can be vulnerable to buffer overflows, privilege escalation, memory over-reads, pointer manipulation, time manipulation, directory manipulation or deletion, and other task normally performed inside the operating system, but which may be corrupted by the hacker in order to destroy or manipulate data, or to gain access to things on the computer that are off limits.
With modern computers, tablets, cellphones and other digital devices there is fusion and overlapping of operating system which runs on the hard drives, a different operating system for the video cards, a different one for the motherboard (in the form of a bootstrap of BIOS), the actual Operating system, and in the case of computer systems that use cellular services a separate operating system for those services, and in some cases the encryption system or security system may have an operating system of its own.
The point being, that modern computers are typically an intermingling of various operating systems which talk to each other to create a seamless illusion of interoperability.
According to the National Vulnerability Database, maintained by the National Institute of Standards and Technology [ https://web.nvd.nist.gov/view/vuln/ ] , the various categories of vulnerabilities on a modern operating system, some of which include:
Authentication Issues
Buffer Errors
Code Injection
Command Injection
Configuration
Credentials Management
Cross-Site Request Forgery (CSRF)
Cross-Site Scripting (XSS)
Cryptographic Issues
Data Handling
Format String Vulnerability
Improper Access Control
Indicator of Poor Code Quality
Information Leak / Disclosure
Information Management Errors
Injection
Input Validation
Insufficient Verification of Data Authenticity
Link Following
Location
Numeric Errors
OS Command Injections
Path Equivalence
Path Traversal
Permissions, Privileges, and Access Control
Race Conditions
Resource Management Errors
Security Features
Source Code
SQL Injection
Time and State
Each of these OS vulnerability types can be stacked to gain increasingly more powerful access, or to inflict increasing levels of damage.
An example of damage that can be inflicted via a OS vulnerability can be to erase or encrypt a file system, or to inflict a extended CPU loop, while at the same time reducing fan speeds to push the CPU beyond the damage thresholds which forces a CPU shutdown, and then to repeatedly do this until the CPU sustains permanent damage ad can no longer be used. This sort of overload can be initiated through the operating system against the main CPU, or video processor or any point in the computer where temperatures are carefully controlled.
An OS vulnerability may also allow restricted files to be accessed of modified to being about any number of nefarious ends, or illicit access.
The standard install of an Operating System is probably not going to give you the security required to help you sleep at night. It’s absolutely imperative as security engineers to “harden” technology as much as possible. The downside is that there is not just a one-fix solution, but rather daily maintenance required as constant variables are introduced. These variables do not need to be from external sources, internal changes can inadvertently create holes in security such as turning on a file sharing service, can create big issues for security.
One way to make your Operating System more secure is to disable any unused services running in the background without the users knowledge. For example, when Microsoft Windows XP was launched, it had 90 services running by default when Windows 7 was launched, this number increased by to over 130 services running by default. Closing these gaps allows
Every service obviously has the potential to create huge security gaps, the biggest problems come from 0-day vulnerabilities. These vulnerabilities are the biggest concerns for security teams because the manufacturers may not even yet know about the flaw. It is known as “zero-day” because once the flaw becomes known, the software’s author has zero days in which to plan and advise any mitigation against its exploitation. For example in 2014, the Heartbleed SSL vulnerability took months for many different manufacturers to patch. Its important as security professionals to do their own research and not solely depend on the manufacturers of the Operating Systems. It may take some time to go through the entire services list, but it’s very important to find and disable all unneeded services to mitigate unwanted issues.
Another basic point to remember is to check daily for patch releases from hardware, software manufacturers. Replacing legacy infrastructure components is usually required as well to assist in many issues. Normally, these update and upgrades should be done first in a lab environment to prevent significant long downtimes between these changes and having a backup plan is imperative as well.
Encryption for communication is paramount as well. Always assume that there is the possibility of someone listening, like the NSA. It is very easy to intercept communication these days, especially wireless networks in coffee shops, airports, and anywhere there is publically available WIFI. Also, never store important information on your machines without any kind encryption to secure it. Adding the extra layer of salt on hash can make it a little more difficult for a hacker to perform a brute force on the hash dump. Obviously, it’s critical to understand that passwords should never be shared are left anywhere in the plain text, such as a sticky note somewhere in your work area like we’ve all seen before.
Be very careful when utilizing protocols such as Telnet, HTTP, FTP, TFTP, SNMPv1 and v2 as these methods are also in the form of cleartext. If your concern is security, then harden all possible gaps and make it a daily priority to check and mitigate any potential loss of data.
No comments:
Post a Comment