2 Aktuell: http://heise.de/-1542748 Österreichische Bürgerkarte erneut angreifbar Die österreichische Bürgerkarte, die ähnliche Signierfunktionen wie hierzulande der nPerso hat, ist erneut angreifbar: Ein Angreifer kann die Java-basierte Online-Version der Bürgerkartenumgebung (BKU) missbrauchen, um etwa Banktransaktionen zu autorisieren oder PDF-Dokumente mit der qualifizierten Signatur des Opfers (gleichbedeutend mit einer Unterschrift auf Papier) zu unterzeichnen. Dies hat der Sicherheitsexperte Wolfgang Ettlinger herausgefunden. …Dr. Wolf Müller
3 Vorstellung: Übungsaufgabe Seitenkanalangriff CrackmeDr. Wolf Müller
4 Software IDAPro auf gruenau[1-4] idal Terminal idaq GUI Dr. Wolf Müller
5 FAT File System MS-DOS FAT12,FAT16 frühe Windows-Versionen FAT16 Single user, single taskingFAT (File Allocation Table) file system.Einfache Dateiattribute:Directory entryRead OnlyArchiveSystemHidden8.3 Format für Dateien, Verzeichnisse12 bit FAT = max 4096 clusters of 512 to 4k bytes (max 16Mb)16 Bit FAT = max 65,525 clusters of 2k to 32k each (max 2Gb)SHARE.EXE erlaubt Mehrfachzugriff für DateienPermissions, ACLs?MS-DOS FAT12,FAT16 frühe Windowsversionen FAT16Single user, single taskingFAT (File Allocation Table) file system.Einfache Dateiattribute:Directory entryRead OnlyArchiveSystemHidden8.3 Format für Dateien, Verzeichnisse12 bit FAT = max 4096 clusters of 512 to 4k bytes (max 16Mb)16 Bit FAT = max 65,525 clusters of 2k to 32k each (max 2Gb)SHARE.EXE erlaubt Mehrfachzugriff für Dateien
6 VFAT Windows 95 lange Dateinahmen Single user / multitasking Dateiattribute wie gehabt.2 Terabyte disk size with FAT32In summary FAT whatever the flavour is wasteful in terms of slack space, ie the space between what the file users and the size of the cluster. FAT has no attributes for security.
7 FAT32 Windows 95sr2/ Windows 98 Adressierung mit 32 Bit, 4 Bit reserviert:228 = Cluster adressierbarDateien dürfen max. bis zu 4 GiB − 1 Byte (= Byte) groß sein
8 OS/2 Single User, Multi-tasking Uses HPFS – High Performance File System,File attributesAs per MS-DOS plusCreation time and dateModification time and dateAccess time and date256 character file names2 Terabyte maximum disk sizeHPFS although an improvement over DOS FAT does not have security to make it appealing for network resource sharing. OS/2 LAN Manager used to add network capabilities
9 NTFSWindows NT, 2000, XP, 2003Various versions of NTFS latest being version 5.0Multi-user, multi-taskingNTFS is a Journaled File SystemFile attributes and PermissionsAttributes Read Only, System, Hidden and Archive.PermissionsReadWriteExecuteDeleteOwnershipControlMulti-user, multi-taskingNTFS is a Journaled File SystemFile attributes and PermissionsAttributes Read Only, System, Hidden and Archive.PermissionsReadWriteExecuteDeleteOwnershipControl
10 NTFS (2)FeaturesFile quotasFile compressionEncryptionIndexing serviceDrive spanningThe machine’s user need not be given access rights to all the resources.Problem?Refer to Knoppix for booting from Linux with NTFS file system enabled, deleting SAM etc.
11 NTFS - Access Control Lists MFT Security Descriptor Attribute for a file or folder contains two tables of lists:SACL – System Access Control List, which records auditing informationDACL – Discretionary Access Control List – which maintains list (of Access Control Entities) i.e. users’ SID and list of permissions for that file or folderWin NT uses static inheritance modelWhen a folder is created it inherits permission from the parent folder, but if changes are later made to the parent the subfolders do not change unless you select to Apply the changes to subfolders, which can act as a sledgehammer overwriting individually set subfolder permissionsWin 2000 uses dynamic inheritance modelAs parent folder change, permissions are inherited to the subfolders dynamically.Win 2000 offers more flexible control over inheritanceACLs can be resident in the MFT or stored as separate Metadata
12 NTFS – Data Streams file:stream e.g. echo Hello > test.txt:AWPP echo GoodBye >> test.txtmore < test.txtmore <test.txt:AWPPI present this is an example of the difference between FAT and NTFS. So far it seems that just an alternate hidden file is stored away, but the example of data streams shows how different NTFS is. What are its purposes... Many... Its primary used was for the simulation and support of Fork and Resource component for a Macintosh file like the HFS system (Macintosh Hierarchical File System). But it can also be used for inbuilt thumbnails of a graphic file, copyright information for music. Also if you right click on a file from Explorer you can set properties for the file which are maintained as alternate data streams.In case some of you are wondering this feature has already been used in malware, to avoid detection of malicious code, and naturally enough used to hide information from law enforcement agencies.If you copy a file with data streams to an NTFS volume it will retain the stream, but not when you copy to other file systems. This has implications when backing up files, if you copy them to a CD you will lose the alternate data streams, but if you tape backup software supports streamed data then you will preserve it. Some compression software will preserve ADS but others like Winzip lose it.For interest you can hide an executable in a data stream , and then execute it with start .\myfile:stream.exe (ie include ,exe in the stream name)
13 File system’s role in User Level Security in NTFS NTFS has extended attributes to support secure multi-user access.Access Control List, ACL, maintains list of User, Groups (or Computers) with rights allowed or denied to a resource.Cannot access Local machine’s data, without valid user account with rights to do so.
14 Local User AccountsGive users access to resources on a single machine, whether that user logs in locally or remotelyThese accounts reside in the Security Access Manager (SAM) located as a file on the machine.SAM maintains passwords and permissions for the user, and each user is given a Security Identified SIDSID’s are used in Access Control Lists on files and foldersLocal Groups can be created to group similar user permissions.Built in accounts include Administrator and GuestBuilt in groups include Administrators, Power Users, User, EveryoneStandard Permission make the bewildering array of choices easier to work withOnly the Administrator or members of the Administrator Group can manage the full set of information for users and groups.The Guest account can represent a security weakness, or can be used to implement Share Level type security for systems not requiring high security
15 Issues with User Level security in workgroups or standalone Each user and or group must be setup on each local and remote machine that user need to access, management is complexPasswords can get out of sync very easily, users may not be set up identically through the system.Verifying a user’s access rights across a large organisation is an impossibly daunting taskSystem is generally very secure, which can be a problem if users forget passwords, especially to Administrator user account on Local machine. You forget - You regret.In many cases you need administrator rights to install software, or configure the machineActiveDirectory, WindowsDomains
16 Workgroups or stand alone with User Level sharing Each machine (server or workstation peer ton peer server) that a user wishes to remotely log on to must have that user set up in the database of users for that machine.Each user is generally defined with a password.Users can be added as members to groups toAny of the pre-defined standard groups, eg User, Everyone, Power Users, Administratorsor groups can created on the machine.You must have an Administrator account or someone of that equivalence.
17 Workgroups or stand alone with User Level sharing (cont) How to share a FolderSet Permissions
18 Workgroups or stand alone with User Level sharing How to share a FolderBrowse to folderOn Share Tab onProperties boxcheck Share FolderPermissions andsecurity
19 Workgroups or stand alone with User Level sharing (cont) How to share a Folder (cont)Use Security forControl of inheritedrightsFine control ofadvanced security
20 Workgroups or stand alone with User Level sharing (cont) Log on as a Local User to a machineEnter Username and PasswordThis username must match a user already setup on this machine, and how has permission to log on as a local userLog on as Remote User to a shared resourceUse Network neighbourhood to Browse thru Workgroup, find a machine, and browse the shareable resources on machineSelect shared resourceIf username and password on local machine match then you are granted access, otherwise you must enter the login name and password.The username password pair must be setup on remote machine
21 Win XP – Simple File Sharing Simple File Sharing allows you to access shared files using the Guest Account (which by default has no password) and comes close to the sort of file sharing of Win95/98/METhere is little or no security using this and is best turned offFrom with My Computer – Tools – Folder Options from View Tab click Advanced – Sharing and Security.
22 Windows DomainsOrganises servers and computers into administrative and physical structures, and users log on to the Domain rather than the individual machines.Where networks are large enough to have several domains, Trust relationships can be used to verify the identity of a user logged on to one domain to another domain. Users still need to be created and managed in each domain, the Trust only authenticates the userA domain has one SAM (Security Account Manager) for the Domain, consolidating managementThe SAM is managed and stored on a machine known as the PDC (Primary Domain Controller), only one machine in a domain can act in this role, it is always advisable to have a Backup Domain Controller (BDC) which has a read only replica of the SAM
23 CD and DVD File Systems ISO-9660 also called CDFS UFS Universal File SystemIncludes advanced features such asLong and Unicode filenames64 bit file sizesFile symbolic linksACL Access Control ListsAlternate Data StreamsUFS is constantly evolving
24 Linux File Systems Ext2 (Extended File System ) Ext3 Reiser JFS XFS Is the usual native file system for LinuxUses inodes and allocation bitmaps (like NTFS)Ext3Adds journalling to Ext2ReiserUses balanced tree indexing, is very efficient with large directories of small files (64k block size)Provides metadata journalling (like NTFS)JFSA journaled file system based on an IBM file systems from OS/2 WarpXFSEach of the above support ACL’s. ACL’s which were introduced in the Linux Kernel
25 Linux Permission Systems Traditionally Linux (and Unix) offer 3 sets of permissions for files and directoriesRead, Write and Execute for the three groups Owner, Group and OthersThis can be very restrictive, being only one owner, and one group per file or directory.Additional control of permissions is provided with ACL’s (like the Windows ACL’s)Support for ACL’s was first brought about for support for Samba (Microsoft file sharing support)Managed through the getfacl and setfacl programs, whereas traditional permissions are managed thru chmod
26 Linux S-Bit Sticky-Bit Aufgaben: Zufriff teilen zwischen mehreren Nutzern1.) automatisiert auch für neue VerzeichnisseS-Bit für Shellskripte?Nur Eigentümer einer Datei (oder der Eigentümer des Verzeichnisses) darf Datei löschen oder umbenennenDr. Wolf Müller