Defend from hackers using computer networking fundamentals
As developers, we all know the importance of computer networking for security purposes, but it is such a dense topic, full of complexities and acronyms that scare us and we prefer to leave most of that work to the DevOps team. The objective of this article is to change this paradigm and enlighten developers and IT specialists to look at computer networking with a different mindset. We will dive into the OSI Model (Open Systems Interconnection Model) and explain how each layer works and how we can attack and protect them after giving a brief overview of each of them.
OSI Model
Computer networking is a hard topic because it not only deals with connecting two or more computers logically but also with the electrical engineering part of how will information travel consistently on physical mediums with the best throughput as possible. After this engineering part, we have to deal with topics such as routing, in other words, how to guarantee that information will travel from computer A to computer B. But what information is getting from A to B? A list of 0s and 1s? Can I transform this data such that I can work with it in a friendlier way with my modern programming languages?
The same questions were the ones asked by the International Organization for Standardization (ISO) on the late 1970s. There were efforts from many enterprises to build computer networks, and each one of them had different protocols and technologies, some of those were not compatible with others and required lots of integration effort. The Open System Interconnection Model, OSI Model for short, was created as an abstract model consisting of 7 layers, each one of them dealt with different aspects of systems interconnection. Why on earth is that so important? Because when we approach computer networking with offensive hacking in mind, we tend to scan each and every one of those layers looking for vulnerabilities, and that mindset should be the same when we defend. Without further ado, let’s embrace those layers and describe each one of them.
Layer 1: The Physical Layer
The physical layer is “responsible for the transmission and reception of unstructured raw data between a device and a physical medium [1]”. That means that it not only deals with where the information will travel, but how we can increase throughput and efficiency, reduce noise and guarantee consistency. In other words, this layer deals with wires, fibre, radio signal and all the things an electrical engineer love.
The main tools in this layer apart from the material engineering theory that explains how each medium acts upon the signal, are the concepts of signal and systems which include noise calculations (e.g. Johnson-Nyquist theorem, Shannon-Hartley theorem), modulation and multiplexing.
Eavesdropping
This is the act of listening stealthily to information without the consent from data stakeholders. This means that if an attacker is able to include a device that sniffs the electrical impulses in a cable or radio frequency from wireless transmissions, he might be able to know more than you want him to know. The best way to protect against this kind of attack is by only sending encrypted information and to protect your cables from physical contact by strangers.
Lockpicking
I know, it might sound absurd to refer to locks when dealing with computer networks, but since we are talking about the physical layer, the only way a hacker can access your system is with physical access. That means he could cut your wires and destroy your switches if he got access to where you store your network components. How to protect? Good physical protection: fences, perimeter intrusion detection and assessment systems (PIDAS), Closed-circuit television (CCTV), good quality locks, identification and authorization devices like finger scan systems and security guards. A great way to think about this is to think of the 3 D’s when planning: Deter, Delay and Detect [2].
Access Card Cloning
Just like lockpicking, access card clones are a threat to security. If the attacker is able to steal your card, retrieve and tamper the information, he might gain access to places he should have not. The solution to this problem is to use smart card security. Smart cards [3] are able to identify when data is being tampered and stop working once and for all. Though it may sound great, you have to make sure you are always with the latest technologies as hackers keep improving their abilities and tools as not to get caught.
Tempest Hacking
Though still very hi-tech and uncommon unless you are the NSA, tempest hacking is a researched type of vulnerability that transforms signal emanation, such as screens radiation, into intelligible data. That means that people can know what you are seeing on your screen if they are able to add a receiver in your room. Below is an example of tempest hacking in action in a Security and Cryptography lab in Switzerland [4]:
Layer 2: The Data Link Layer
Once we have the aspects of our physical layer defined, we have to analyse how connections point-to-point will work. The data link layer is responsible for managing how a connection from a node A to another node B works. The data link layer is also responsible for double-checking whether the physical layer sent information correctly (LLC) and for establishing and terminating connections between two nodes (MAC).
The most known component of the data link layer is the Medium Access Control protocol, or for short, the MAC protocol. This protocol is a set of rules that define how computers get access to the data and permission to transmit it. One of the components of this protocol is the MAC address, which is a globally unique identifier that is the main piece for defining the communication between nodes in a network, it works as a guarantee that the two nodes that are being linked are who they should be.
MAC Spoofing
As we read previously, the MAC address is a globally unique identifier, but many drivers allow the MAC address to be spoofed such that you become somebody else. MAC spoofing is a vulnerability that cannot be prevented and it is advised to enterprises to use methods with authentication mechanisms, such as 802.1x with EAP-TLS. The reason for that is that MAC addresses do not guarantee authentication safety and by using strategies such as EAP-TLS we are allowed to use certificates and do this process of authentication with cryptography included.
CAM Overflow
Switches operate internally by building a reference table of MAC addresses so that they can know to which ports they should forward the frames to. This reference table is called “content addressable memory table” and is the target of a common overflow technique. In this type of overflow exploit, hackers may connect to one or more switch ports and mimic thousands of random MAC address until the capacity of the CAM table is filled and consequently, it starts to flood all traffic to all ports of the switch. Some common defence countermeasures are limiting the number of connections to a single port of the switch, packet filtering through an AAA server in 802.1x networks and MAC filtering [5].
Layer 3: The Network Layer
Commonly referred to as the IP layer, the network layer is responsible for transmitting information to different networks in variable length data sequences often called “packets”, and it does that by mapping physical addresses (MAC) to logical addresses (IP) in a way that it can route interconnections. The reason why I used the word “interconnections” is to make clear that the main difference between layer 2 and layer 3 is the fact that layer 2 cares about local connections while layer 3 goes beyond that.
When referring to interconnections, there should be a clear distinction between local and external IPs. The sole purpose of IP addresses is to guarantee that data can be routed externally and internally, so computers connected to the internet will have both external and internal IP addresses.
IP Spoofing
As demonstrated in layer 2 explanation, it is possible to impersonate another computing system by spoofing its MAC address. In the network layer, the corresponding computer identity is the IP address, and the good news is you can trick it as well. We can also apply packet filtering strategies to avoid being fooled by IP spoofing, but it is much better to make use of network protocols that do not rely on IP addresses for authentication, such as IPSec. In IPSec, every computer has a credential, and communications only occur after mutual authentication. Unless the credential is compromised, there is no way a hacker can spoof its IP address.
ARP Cache Poisoning / ARP Spoofing
The ARP protocol is a set of components that map physical addresses to logical addresses, and for this job, it requires a reference table called ARP cache, just like the table we’ve mentioned on the CAM overflow example. This attack is a bit different though because the objective is not to overflow, but to control and trick.
The attack sends some packets to the router telling he has the MAC address of the victim. After that, he sends equivalent packets to the victim telling his MAC address is the same as the router. Now the ARP cache is poisoned, and both the router and the victim’s machine are fooled, they will redirect all traffic to the hacker’s computer. There are many ways to defend against this though such as using IPSec or any other protocol that works with certificates, smart packet filters and using VPN tunnels.
Layer 4: The Transport Layer
Now that we are able to transfer data to different networks, we should have some type of guarantee whether data that is travelling from one place to another is consistent and respects the maximum size of packages that the receiver accepts. The transport layer acts as a “management control”, and it does that with two main flavours: Transfer Control Protocol (TCP) and User Datagram Protocol (UDP). The first always check after sending packages whether information arrived correctly, while the latter doesn’t, which makes TCP more reliable and UDP faster.
Port Scanning / OS Fingerprinting
Although not real vulnerabilities, both techniques are extensively used by hackers before exploiting their victims. Fingerprinting is a mandatory step before attacking victims because it is the only way to understand what kind of environment they are dealing with, and that means not only what kind of exploits they will find, but what kind of logs they can leave behind. The best way to defend against reconnaissance is by configuring firewalls and access control lists correctly.
Packet Crafting
After understanding how systems in a network manage the flow of information, a more knowledgeable hacker can craft packets to try to overflow layer 4 management system. Since it is very dependent on the deployed systems, there is no single solution to the problem, unfortunately.
Layer 5: The Session Layer
The session layer is responsible for all the traffic control in a node, which means all connections that are initiated and terminated are done here. Its name, session, has to do with the fact that it defines connections’ durations. Before starting connections, the session layer performs a handshake, an operation that guarantees both endpoints are ready to send and receive data. Whenever connections stop, this layer will decide whether they should be restarted or terminated.
Cookie Hijacking
For those familiar with the HTTP protocol, there exists a component called “cookie”, which is responsible for storing many session information on client computers. Most modern systems use cookies as the authentication storage unit, which means that all session information is stored there. Since we have hacker intentions in this article, we will apply a technique called “man in the middle”, which is the superset of ARP Spoofing mentioned before, to make sure we will eavesdrop all communication information that travels from the client to the server and vice-versa. Once we do that, we are finally able to hijack the cookie and use it to authenticate on the server impersonating the victim. The best way to protect against most types of session hijack is to use encrypted protocols, in this case, we could have used HTTPS, and we would be safer. There are other types of cookie hijacking, but it is not the intention of this article to describe them all, but to introduce them to a broad public.
Layer 6: The Presentation Layer
The presentation layer is a facade that transforms data packets into data formats that can be understood by the next layer. This layer is great when dealing with encryption and compression, as it can encapsulate such logic in an elegant manner that is invisible to the eyes of layer 7. Since it represents a data transformation step, it is the layer with the least possibilities of exploits. Most exploits will have to do with lack of data sanitization or lack of proper encryption.
Data Poisoning
The presentation layer deals with data transformation, and it is correct to assume that this mechanism is the main target of “presentation hacking”. Data poisoning is writing characters that during the encoding/decoding process will be transformed into uncontrolled exceptions. In February of last year, a data poisoning exploit was found on many web and mobile platforms, where a single character of Unicode, the Indian Telugu, made web browsers and smartphones crash. Companies fixed it as soon as possible to guarantee users’ safety. The only way to solve problems like this is to use safe code libraries and filter characters (or sequences of characters) that should be accepted by your software.
Layer 7: The Application Layer
We have finally reached the last component of the OSI model. The application layer allows applications to access the network, identifies communication partners, determines resource availability and sync communications. It provides access to final data to applications. Even though this is the highest level of abstraction in the OSI model, the application layer tends to be the most vulnerable layer, as it is fully dependent on the ways apps and programming languages were developed. The application layer is the one that offers programmers many protocols that are used daily such as HTTP, SMTP, FTP, etc. Most of the vulnerabilities are application specific, but we can mention a few…
Buffer Overflow
Probably one of the most deadly exploits, the buffer overflow has nothing to do with networking but give hackers unlimited power to victim’s machines. It uses the fact that once a hacker can allocate memory beyond computers stack boundaries, they can send any sequence of assembly commands to be executed. This exploit affects the application layer because it makes apps behave in any desired way, giving the hacker full access to all networking features of the layer.
SQL Injection
To query and modify data on databases, programs send commands to the server. When there are no filters though, attackers can send unwanted commands to make the server behave “better”, such as giving more information than they should. The only way to solve such a problem is to write parameterized queries and to treat inputs to avoid being fooled by smart hackers. This one is all in the hands of good programmers.
References
[1] https://en.wikipedia.org/wiki/OSI_model
[2] http://scitechconnect.elsevier.com/wp-content/uploads/2013/09/Layer-1-The-Physical-Layer.pdf
[3] http://theses.gla.ac.uk/3091/
[4] https://www.youtube.com/watch?v=AFWgIAgMtiA
[5] https://kalilinuxtutorials.com/macof/
[7] https://www.sciencedirect.com/topics/computer-science/three-way-handshake
