Friday, March 8, 2019

Computing - Server Side Cyber Threats

Now that I've already covered various topics on how the internet works, I want to revisit the notion of cybersecurity as 'defending a castle'.

Though really, it's probably more like 'defending a gated community'.

Picture your typical business as a gated community, with a front office (where mail is received and sorted), various different homes (where employees do their work), and a fulfillment center (surrounded by another wall) that receives and responds to client requests.

I am drastically oversimplifying this, since businesses vary greatly in how they configure their internal network - perhaps putting all the HR people in one walled off section, all the R&D people in another. Or having one building for receiving requests, and sending valid requests on to another building for fulfillment. That's not even getting into how a large company with multiple work locations would be configured, but I'm trying to keep it simple.

So then. Each house, the fulfillment center, and the front office all have their own 'Rosie' to receive and send messages. Rosie comes in all sorts of different makes and models, and if you know her model well you may even know of some 'tricks' that will get her to act in unexpected ways. You might send her a letter with keywords that make her start taking pictures of rooms in the house, or to open up a new window or door for a specific type of message traffic, or initiate some messages of her own.

The postal service delivers all mail to the front office in part because they don't actually have any addresses for anyone inside. It's of like how a large business might need someone to sort mail to a specific building or room, though if I'm going to maintain my previous analogies I'll just say that the robot maid in the front office assigns certain windows or doors to a specific home or building inside the community, and knows that any letters delivered to that location (i.e. door number 1470) goes to house number 42 in a process called NAT, or Network Address Translation. This developed in part because we were running out of IP addresses, and needed a way for computers to re-use some numbers. It's part of why if you check the IP address for your computer it's most likely to start with 192.168.1.X.

Anyways. What this means is that anyone outside the business has no real idea how to reach any of the homes inside the business unless they are directly responding to someone's messages. There's what's called an 'attack surface' of publicly facing connections - generally the front office and fulfillment center (since all the customers need to be able to reach the fulfillment center in order to make their requests.) Individual employees do offer up a target as well, but it's mostly because they're using their computer to access sites outside their place of work - gotta check those ESPN scores, you know? - and get responses in turn. (Okay, I'm halfway joking about ESPN. There are often legitimate work reasons to access outside websites... but you can communicate with everyone inside the gated community without going through the front office.)

All right, so what happens next? Well... it depends on a bit on what you're trying to do, tbh. This is also, btw, where I feel my inexperience shows the most... I'm trying to put into words my understanding of the process, but I may get it wrong. Feel free to comment with any corrections.

Let's start with one type of Denial-of-Service Attack, and it's close cousin a Distributed-Denial-of-Service attack. There you are, at the front office, when suddenly the mailman starts delivering bags and bags of mail. Much like the scene from Miracle on 33rd St, it overwhelms the front office and they wind up throwing away a lot of mail, including legitimate letters.

If it's a straight up DoS attack, you might notice that all the return addresses are the same, which makes it easy to tell Rosie to just throw them all away.

If it's a DDoS attack, the return addresses are generally different. Generally speaking, someone sent letters to a bunch of different robot maids, telling them to send letters to your address. It's called a botnet, and all the different return addresses indicate different robots sending letters as ordered.

Certain kinds of DDoS attacks will all be the same basic form, the color and/or size of a specific type of message (like an ICMP flood). There's still some things the front office can do to help filter it out, and they can also reach out to their nearest post office for help managing the flood of traffic, but it generally requires a bit more management than simply telling Rosie to throw out all the letters from x.x.x.x address.

This sort of attack will disrupt your business, but it's not really getting inside your community.

If you want to gain access to the businesses database there's probably two broad avenues of attack (I've never heard anyone put it like this, though, so maybe not). Basically you can do what we discussed earlier, where you manipulate the input at the company's website meant for use by a legitimate customer or you can try to take over the 'Rosie' that manages that particular building.

If you attack through the website, your message traffic looks superficially legitimate and will probably pass through the front office no problem. Then it gets forwarded for processing at the fulfillment center, and it's success depends on what sort of processes occur there. You're not really taking over any computers, you're just submitting a request in such a way that the fulfillment center will respond with information you're not supposed to have.

The other option (and the same sort of option you'd probably use to target the R&D section, or some other part of the business) is to try to reach a Rosie inside. Taking over the computer, or taking over 'a' computer and then pivoting to take over neighboring computers until you finally get the access you want.

This option can be used for all sorts of things, whether it's turning every Rosie into a member of a botnet, or getting Rosie to change information in the filing cabinet, or asking Rosie to take pictures of all the files and send them out to another location, and so on and so forth. You might even just tell Rosie to do nothing, to periodically check a particular window for messages.

But getting Rosie on your side... well, I'll get to that another day.




No comments:

Post a Comment