1. Cybersecurity Computer Science Innovations, LLC

2. Overview Define Security Discretionary Access Control Trusted Computer System Evaluation Criteria (TCSEC) - Orange Book 1984 by MITRE Corporation Basis for all we do in Security Define Security, how me measure it.

3. Long-term goal Given a System, X, tell me the security level. C2, B1, PL3, PL3+ What does the security level imply? It implies, what you can do with the system. Says Who? Commercial world – Underwriter? What's an Underwriter? Quantify? Insurance Companies.

4. The Present Situation If I am Responsible for System, X, how do I bring it into Production? Someone must Approve. Somebody must assume risk. Who is that? Insurance company DOD Adjudicator. Someone who assumes the risk.

5. Development up to present If your system, and you are well defined. If your security model is simple and based on standards. If you speak the same language as the decision maker? It is easier to get someone to put their neck on the line. Einstein said, If I saw further than others it is because I was standing on the shoulders of Giants.

6. Goals Einstein said, As simple as possible, but no simpler. If you cannot explain it simply, you do not understand it well enough. Any fool can make things more complex it takes genius to find the simplicity. Great science is simple.

7. Science Being Simple Computer Science – Simple seems to win. P-V Semaphore --- Seven lines of code. Google ---- Processing Paradigms.... Simplicity in processing. Map/Reduce …. Solr... Open Source......

8. Definitions Levels of Security Lowest D... Not even discuss it. Next Level up is C... C1 and C2 C1 and C2 rely on Discretionary Access Control. Next level up is B1, B2, B3 which are largely related. B level uses Mandatory Access Control

9. Use of Definitions The same definitions are used for Commercial as Government In other words, there is just one Security. There is Computer Security Used in Different Areas. What is Discretionary Access Control?

10. Discretionary Access Control Concerns itself with Named Subjects accessing Named Objects. So what is a Subject.... Someone or something wishing to access a computer object. You accessing your email. The Subject --- You. The Object Email. What does Concerns Itself with Mean?

11. Subjects and Objects Access Control... Can the subject read or write the Object? That is one thing we are concerned with. Auditing... What did the subject do on June 30th? Who are the subjects that accessed my mail. Assurance – How can I be Guaranteed that all access to th data have access control and Auditing. And … Does my model work?

12. Access Control Access Control has some pieces.... What are the pieces? The first two are Identity Assertion Role Gathering Systems do this. We knew this in 1984.. This is not new and pre-dates the Internet.

13. Identity Assertion Eminem – I am who you say I am. How do you find out your identity? Google... Username and Password Google.. Additional Security through a Token Show Something About yourself Biometric Devices. Prove who you are.

14. How Do We Do Identity Assertion Web Server Browser Www.bankofamerica.com Do Ihave asession

15. How Do We Assert and Identity Username and Password Sitekey Identity Asserter is username and password. Google --- username and password. Challenge ---> send a key to cell phone Biometrics... cheap....

16. Identity Assertion Identity Asserters must be pluggable. What does that mean? It means if I change the Identity Asserter, I do not need to change the software. Best Practice … Run the software with two different Identity Asserters without changing, compiling or writing Software.

17. Role Gathering BrowserWeb server Asserts Identity Gathers roles

18. Role Gathering Having proven who I am.... What can I do? The Roles Dictate what you can do. So if my role is Administrator.. I can do a lot. If my role is Guest... I can do a little. Show me what you mean. Ok. Let's do a practical Example.

19. Where do We See Roles Web applications..... Web.xml Directory ---- roles can work in the directory Page --- useradmin ----> roles can see it are Administrator.... Browser... look up web.xml roles..... See it.

20. Practical Example - Roles id uid=1000(scott) gid=1000(scott) groups=1000(scott),27(sudo),30(dip),46(plugdev),109(lpadmin),124(samba share),129(vboxusers) Groups are Synonymous with Roles... Spec says. They say what I can do. Use Plug in Devices Line Printer Administrator, Share Files...etc.

21. What Happened? Logged into my machine. Asserted my identity by username password. Gathered my roles. Determined what I can do. Why? It's the standard.

22. Impromptu Lab Go to your linux instance. Any linux instance. id command then do a sudo su - then do a adduser pedro su - pedro id

23. Unix File Permissions For a file or a directory we have Modes xxx yyy zzz For xxx we have read, write and execute for the user (you). For yyy we have read, write and execute for the group(all group membership). For zzz we have read, write and execute for the world (everyone on the computer). So the question is, what permissions does a file get at creation? It is determined by umask or user mask So where do you set it.

24. Umask where is it The Unix command umask is set somewhere, most commonly in.bashrc It also has a default for the system. It is common to set it in your.bashrc Umask is the permissions give to newly created files.

25. Unix Convention – More than When you create a user, say sherman then the user is sherman and sherman is the name of the private group. So now the home directory is owned by sherman as the user and sherman as a private group. Private groups are used for ownership of things the user is only allowed to write. So your private group has your files for write.

26. Create a User and Private Group Command – useradd -U sherman root@ip-10-138-35-253:~# su - sherman No directory, logging in with HOME=/ $ id uid=1001(sherman) gid=1001(sherman) groups=1001(sherman) Command useradd -U wilson No directory, logging in with HOME=/ $ id uid=1002(wilson) gid=1002(wilson) groups=1002(wilson)

27. Create a Group to Share We wish to create a group, called seahawks and make wilson and sherman members of that group. We do not wish to change their primary membership, we wish to add them as members of the group. Command – groupadd seahawks root@ip-10-138-35-253:~# groupadd seahawks root@ip-10-138-35-253:~# usermod wilson -G seahawks root@ip-10-138-35-253:~# su - wilson No directory, logging in with HOME=/ $ id uid=1002(wilson) gid=1002(wilson) groups=1002(wilson),1003(seahawks) $ exit root@ip-10-138-35-253:~# usermod sherman -G seahawks root@ip-10-138-35-253:~# su - sherman No directory, logging in with HOME=/ $ id uid=1001(sherman) gid=1001(sherman) groups=1001(sherman),1003(seahawks) $

28. Let's Explore the Private Group Your home directory is not shared. /home/sherman would have file owned by sherman The ownership is user:group so for these files Permissions sherman:sherman So we have the octets xxx yyy zzz and now ownership. If we look at a home directory we should see ubuntu@ip-10-138-35-253:~$ ls -al.bashrc -rw-r--r-- 1 ubuntu ubuntu 3646 Feb 12 20:32.bashrc ubuntu@ip-10-138-35-253:~$

29. Let's Look at the shared Group Setup an area on disk to share. Let's use root@ip-10-138-35-253:/opt# chown -R sherman:seahawks shared/ root@ip-10-138-35-253:/opt# ls -al total 12 drwxr-xr-x 3 root root 4096 Feb 12 20:50. drwxr-xr-x 22 root root 4096 Feb 12 20:17.. drwxr-xr-x 2 sherman seahawks 4096 Feb 12 20:50 shared root@ip-10-138-35-253:/opt# su - sherman No directory, logging in with HOME=/ $ cd /opt/shared $ touch x $ ls -al x -rw-rw-r-- 1 sherman sherman 0 Feb 12 20:51 x

30. The Shared Group uses the Private Group The private group is dominating the directories private group. When we do a touch x as sherman the group owner is sherman. The problem is sherman cannot share with wilson, therefore we do not have a shared group. So chmod 2775 to the rescue. root@ip-10-138-35-253:/opt# chmod 2775 shared/ root@ip-10-138-35-253:/opt# ls -al total 12 drwxr-xr-x 3 root root 4096 Feb 12 20:50. drwxr-xr-x 22 root root 4096 Feb 12 20:17.. drwxrwsr-x 2 sherman seahawks 4096 Feb 12 20:51 shared

31. Some Limitations If you have a directory tree, then all directories must be set with the 2775. So how do you change just the directories? Command chmod -R * –- DO NOT DO THIS. IT CHANGES EVERYTHING INCLUDING FILES. Proper Command is find. -type d -exec chmod 2775 {} \;

32. Common Shortcomings? Let's say you have a machine with a web server. You have 5 people that are Web Server Administrators What are your options? You can have a Group Account Or you can setup the machine to allow multiple people to update the Web Server.

33. What is Wrong with a Group Account? It Violates Discretionary Access Control. Why? Named Subject, Named Object. NOT Named Group containing many Subjects and Named Object. Must be one to one – Person to Subject. Now Three More Topics for C2.

34. Bringing Up A Web Server Web Server ---- runs on port 80 Web Server ---- runs on port 8080 Ports < 1024 require Admin Privilege to Start Process. Ports >= 1024 do not require Admin Why do we care? Least Privilege....

35. Have “Normal” Users Web Admin So Let's say --- Morris Mo... he is a web admin Cheri is a web admin.... They are going to run As normal users... But they need to share The web server.. and we do not want to violate DAC.. So we need to separate them and Keep Least Privilege...

36. Separate Users Step 1 Create a group per user And create a shared group. Mo Al Webguys shared group.

37. How To root@companion:/opt# groupadd mo root@companion:/opt# groupadd al root@companion:/opt# groupadd webguys root@companion:/opt# useradd mo -g mo -G webguys root@companion:/opt# useradd al -g al -G webguys root@companion:/opt# useradd mo -g mo -G webguys root@companion:/opt# useradd al -g al -G webguys

38. How To root@companion:/opt# mkdir /opt/share root@companion:/opt# chown al:webguys /opt/share root@companion:/opt# chmod 2775 /opt/share the 2 is the set groupid bit. It means that all files created inherit the group from the directory not the user. root@companion:/opt# useradd mo -g mo -G webguys root@companion:/opt# useradd al -g al -G webguys

39. Three More Topics Confidentiality  No one can listen in and gain information.  Encryption Least Privilege  Very Very Important.  Am I doing the action with the least amount of Authority. Don't work as Root or Admin Non-Repudiation  How can I not deny that I sent it.

40. Confidentiality https Hyper Text Transport Protocol Secure When you read your email are you  http or https?  Log into your mail.  Is it http or https? https

41. Least Privilege I must work as a normal user Or I must work as an admin. Which is better? Why? Myself? Why? You don't mess up the system on purpose or by accident. Ports... https which port is that? 443 Who do you have to be to work as 443? For ports less than 1024 you must be admin

42. How Do We Do Least Privilege With https? The browser (Source) wants to communicate on 443.... Default The system wants to use a normal user. So what happens? So your Firewall or Router maps 443 to 8443 So the Source requests 443 the System responds with 8443 the Router maps them. Best Practice … Always map 1024 to preserve Least Privilege.

43. Outside World to Inside Https in a browser it says communicate on 443 But we want least privilege … So how do we do that. 8443 on the local system. We need our firewall/router administrator to set this up for us.

44. Let's Look At This Web Server 8443 Browser 443 Firewall Al Admin Map Incoming 443 to intenal 8443 On a specifc Server

45. Apache and Least Privilege ubuntu@ip-10-204-147-104:~$ ps -ef | grep apache root 3725 1 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start www-data 3727 3725 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start www-data 3729 3725 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start www-data 3730 3725 0 14:55 ? 00:00:00 /usr/sbin/apache2 -k start ubuntu 3828 865 0 14:55 pts/0 00:00:00 grep --color=auto apache ubuntu@ip-10-204-147-104:~$ sudo su - root@ip-10-204-147-104:~# cd /etc/ root@ip-10-204-147-104:/etc# grep www-data passwd www-data:x:33:33:www-data:/var/www:/bin/sh Apache is not adhering to Least Privilege

46. Unix Cheat Sheet The command ls is the same thing as dir in windows The command ps is process status and commonly used as ps -ef | more Do a ps -ef | more The command pwd is print working directory The command chmod is change mode The command chown is change user and group

47. DAC in UNIX In Unix we get DAC out of the box. How do we do it. Name Subject …. logging in How do we protect files? This is access control.

48. Unix History How did we get to Unix? Who created it? Brian Kerrnighan, Dennis Ritchie, Thompson. They worked for AT&T in New Jersey in the 70's. They had an idea. What if an operating systems was created that worked on any hardware? So they needed a hardware independent language – they called it C.

49. Unix History Continued AT&T gave it away for free. How many run Android's. Unix kernel How many run IPhones. Unix. There are two flavors. System V – MIT – Linux BSD – Berkeley – Cal Berkley – Mac/OS AT&T – Created this.

50. Commands - Unix Permissions wwwxxxyyy for a file or directory. Now let's define www it has 3 digit for RWE So RWE is what … 7 now www is for the user's permission. xxx is for the group's permission and yyy is for the world's permission. So if a file is 400 like.pem file what is that? 400 100 000 000 which is R------ at the owner level.

51. More Permissions So if I want a file to be Read and Write for the Owner (User) of the file and Read for the Group and Nothing for the world. Let's do it together www xxx yyy U G O The three digits RWE 110 100 000 = 6 4 0

52. Lab on Permissions So..... A User may Read Write and Execute. The Group may Read and Write. The Other may only Read. What is the pattern? Remember www xxx yyy RWE U G O 1 1 1 1 10 100 7 6 4

53. So Back to Commands The command ls -al full listing. You can see the pattern. So we a couple more commands and we are done. The command chmod 3DIGITS files changes the mode. chmod 777 allows all access. The command chgrp user:group and it lets yo set the owner.

54. The World of Discretionary Access Control Says I should have a way to protect my private files....... Well, let's create two users. Chris and Dave Chris should see Chris files and David could see Chris files, but only Chris can update Chris files and only Dave can update Dave files.

55. Let's Do It root@companion:/opt# groupadd class root@companion:/opt# groupadd dave root@companion:/opt# groupadd chris root@companion:/opt# useradd dave -g dave -G class root@companion:/opt# useradd chris -g chris -G class So class is a shared group with two members dave and chris. So, dave has a primary group …. dave So,, chris has a primary group …. chris

56. See DAC Common area and it is call /opt … which is for optional software The command mkdir makes a directory. root@companion:/opt# echo "hello" > chris.txt root@companion:/opt# echo "goodbye" > dave.txt root@companion:/opt# more chris.txt hello root@companion:/opt# more dave.txt goodbye root@companion:/opt# ls -al chris.txt dave.txt -rw-r--r-- 1 root root 6 Jun 25 13:40 chris.txt -rw-r--r-- 1 root root 8 Jun 25 13:40 dave.txt

57. Chris and Dave – Private for Writing Command chown user:group file Command chown chris:chris chris.txt Command chown dave:dave dave.txt Command ls -al *.txt root@companion:/opt# ls -al *.txt -rw-r--r-- 1 chris chris 6 Jun 25 13:40 chris.txt -rw-r--r-- 1 dave dave 8 Jun 25 13:40 dave.txt root@companion:/opt# su - dave No directory, logging in with HOME=/ $ cd /opt

58. umask The opposite of bits set on a file when created scott@companion:~$ umask 0002 scott@companion:~$ touch zzzz scott@companion:~$ ls -al zzzz -rw-rw-r-- 1 scott scott 0 Dec 6 20:11 zzzz When I create a file the only bit to NOT set is the 2 bit. Command ls -al *.txt root@companion:/opt# ls -al *.txt -rw-r--r-- 1 chris chris 6 Jun 25 13:40 chris.txt -rw-r--r-- 1 dave dave 8 Jun 25 13:40 dave.txt root@companion:/opt# su - dave No directory, logging in with HOME=/ $ cd /opt

59. umask (continued) The opposite of bits set on a file when created scott@companion:~$ umask 22 scott@companion:~$ touch zzyy scott@companion:~$ ls -al zzyy -rw-r--r-- 1 scott scott 0 Dec 6 20:13 zzyy umask with a value sets the umask. setting it as 22 means not to set the write bit for users and groups.

60. Lab Create a private group for you and your partner along with a shared group. Create a user for you and your partner with the private group as your primary group (-g) and the shared group (-G) as your supplemental group. Add each user. Put a file in opt for each user. Use chmod and chown to make the file globally read but only private write.

61. Annoying Cannot Save Backup File When you are working as a user... you have a private home directory, where you can work. The command useradd has a way to specify the home directory, which we did not do, so it defaulted to the root of the system which is owned by root. So you cannot write to it.

62. Back to Least Privilege Access Control, Auditing, Assurance, Least Privilege. We saw that Apache on Ubuntu, Amazon web services did not implement least privilege. Why? The answer is the LAMP (Linux, Apache, Mysql, Php) uses a very simplistic model. This is different than Enterprise Software.

63. To Consider There is an appropriate tool for a job. This is not Religion. We are trying to get a job done. There are 2M LAMP developers worldwide. Wikipedia – written in LAMP. Bugzilla, written in LAMP. So, what Computer Scientists say is LAMP is not real computer science. I disagree,

64. To Consider There is an appropriate tool for a job. This is not Religion. We are trying to get a job done. There are 2M LAMP developers worldwide. Wikipedia – written in LAMP. Bugzilla, written in LAMP. So, what Computer Scientists say is LAMP is not real computer science. I disagree,

65. We Want To Use Least Privilege We get our web server (Tomcat) to work as a normal users. What does this imply? Port # >= 1024... No privileged User. Example of this

66. Google Technology Starting out... Google ingested the entire web and searches it. But the technology that ingest the entire web is called Map/Reduce and is the open source Apache project – Hadoop. The technology to read the entire web is called the Apache project Solr.

67. Solr Runs with Least Privilege. Show me! Ran Solr: Accessed it through http://localhost:8080/solrhttp://localhost:8080/solr Did a ps -ef | grep tomcat. Running as scott

68. AWS.amazon.com/amis – these are amazon machine images. Top Down.... A specification committee gets together,,, they understand the need.... they build a specification. Many are good, some are bad. Bottom up... The specification committees do not know about this. A vendor starts it.... It gets critical mass... It becomes a defacto standard.

69. Somethings That Came From a Specification TCP/IP HTML Web Archives. Java. Browsers.

70. Some Things not from a Specification (defacto) Processors on PC Wiki's Spring Framework Social Networking RESTFull

71. Amazon - AMI Amazon Machine Images https://aws.amazon.com/amis 65,000 different machine machine images. Ubuntu 12.04, MySQL Apache, php, postfix Server … Elastic... Managed in a secure way.

72. Why is this Popular Speed, efficiency, cost Shawn – I can bring up a production instance in less than 5 minutes. Cost – Initial costs are nominal. I pay as I go.

73. How Do I do This First go to amazon EC2. (Elastic Compute Cloud) classic wizard gives you different ones to choose from. Amazon gives you their own AMI default. Can go out to community and see the ones out there running. Choose an instance of them. Takes the image out there running and takes a copy of it.

74. Launched an Instance I have a security key that I use to get to the server. This is going to lead to a best practice. scott@companion:~/Desktop$ ls -al elijah.pem -rw-rw-r-- 1 scott scott 1696 Sep 11 11:13 elijah.pem scott@companion:~/Desktop$ chmod 600 elijah.pem scott@companion:~/Desktop$ ls -al elijah.pem -rw------- 1 scott scott 1696 Sep 11 11:13 elijah.pem scott@companion:~/Desktop$

75. Let's Get to our Server ssh -i elijah.pem ubuntu@ec2-50-19-29-234.compute-1.amazonaws.comubuntu@ec2-50-19-29-234.compute-1.amazonaws.com So if we do not use a private key ssh ubuntu@ec2-50-19-29-234.compute-1.amazonaws.comubuntu@ec2-50-19-29-234.compute-1.amazonaws.com Permission denied (publickey)

76. Best Practices? No unencrypted access. Commands rsh, telnet, ftp-- never use and they are not installed by default. Only ssh or https 443 22 80, ports that are open DAC – Single User to account. Groups. Shared, etc. And Private key to get into ssh no accepting of passwords.

77. Lab Go back to Amazon, Create an instance. Log on to the server. Remember.... chmod 400 on the key Do not lose the key. scott@scottstreit.com Password redskins1992

78. Review Security Levels: D everything C1 – DAC with group level C2 - DAC individual users and objects. B1 - Mandatory Access Control – It is what we need for Multi-level secure. B2, B3, A1 is the same as B1 with more Assurance.

79. Review - II So, how can I prove Solr is running with Least Privilege? Possibly – it is running on port 8080 >= 1024. scott@companion:~$ ps -ef | grep tomcat scott 10139 18578 0 14:55 pts/4 0 User is scott Command grep scott /etc/passwd Command su - scott

80. SSH root@companion:~# groupadd jon root@companion:~# useradd jon -g jon -d /home/jon - s/bin/bash root@companion:~# cd / root@companion:/# cd /home root@companion:/home# mkdir /home/jon root@companion:/home# chown jon:jon /home/jon jon@companion:~$ ssh localhost jon@localhost's password: Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-30-generic- pae i686) Requires password!!!!

81. No Password – How? $ ssh-keygen Enter file in which to save the key (/home/jon/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Your public key has been saved in /home/jon/.ssh/id_rsa.pub. jon@companion:~$ ls -al.ssh -rw------- 1 jon jon 1675 Sep 11 14:18 id_rsa -rw-r--r-- 1 jon jon 395 Sep 11 14:18 id_rsa.pub -rw-r--r-- 1 jon jon 222 Sep 11 14:16 known_hosts jon@companion:~/.ssh$ mv id_rsa.pub authorized_keys prove it: ssh localhost

82. We ssh now jon@companion:~$ ssh localhost Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-30-generic-pae i686) * Documentation: https://help.ubuntu.com/ Let's us in without a password!!!

83. Look at this a little further jon@companion:~/.ssh$ more id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA1/O96EGofjJ/fdBvF5VVIiGtnCeLgc+Ygt0XIv/N3M9lmCL N 9m6TGkJgn9AzrdVREb+R93i0D4Tvpv/kufd3LP9joAWPHIoFIEq6rRsrhj1U4qn b jon@companion:~/.ssh$ more authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDX873oQah+Mn990G8XlVUiIa 2cJ4uBz5iC3Rci/83c z2WYIs32bpMaQmCf0DOt1VERv5H3eLQPhO+m/+S593cs/2OgBY8cigUgSrq tGyuGPVTiqduNzfWyx9ky Lk+fXTZ0UTr745rR2BSnz2lhgLAmVyJiqIdxxX++Wqkc2Ku3uukntLCyQKO0p+ 6cubufLi7wdbw9FpW3 tKHLFJeOWjA86F32rZTSdNmz5Cv1ieXgO92Mt81wsAQ/yHO4ZvBPHdH97r9 1gdu1qftEskZJumZq9gO0 ElxFaX4SR+HLoZpVrjkE1kEE5xVdZHDsWB/6YWkzfBsGCsdvfhcSEEnxsL21 jon@companion

84. SSH With Passphrase jon@companion:~$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/jon/.ssh/id_rsa): Enter passphrase (empty for no passphrase): lakers Enter same passphrase again: lakers jon@companion:~/.ssh$ mv id_rsa.pub authorized_keys jon@companion:~/.ssh$ ssh localhost Enter passphrase for key '/home/jon/.ssh/id_rsa': Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-30-generic-pae i686)

85. Lab 3 Use ssh-keygen to create a public and private key. Use this to get access to your account via ssh without a password.

86. Setting SSHD to only allow Private Key sudo su - cd /etc/ssh/ edit sshd_config change #PasswordAuthentication yes PasswordAuthentication no

87. Lab 4 Allow private key only access to your account. Log out of Xwindows and see password still works. THIS ONLY IMPACTS SSH, WHICH SHOULD BE YOUR ONLY EXTERNAL ACCESS. Physical access - we do not care.