Saturday, October 27, 2018

Asynchronous & Synchronous Communication

Try to read the sentence written after this statement - “youwillpasscisspexamifyoustudyhard”. Clearly, you need to focus on the letters and your mind will try to discern the different words for you. Similarly, if I speak to you without pausing, it would again be difficult for you to discern and understand what I am communicating. So irrespective of the way we communicate – verbal or written, we need to follow certain grammatical rules so that the other party is able to clearly discern and understand what is being said. These grammatical rules for the written language include punctuation symbols such as comma, semicolon, spaces etc. while for verbal communication we use various aspects such as pausing, hand gestures, tones. 

In a similar manner, technological communication protocols also have their own grammar and synchronization rules when it comes to the transmission of data. We have two kinds of transmission ways – Synchronous & Asynchronous. Both of them utilize aspects similar to verbal and written communication. 

Asynchronous transmission utilizes bits for starting and pausing the transmission. If two systems are communicating over a network protocol that employs asynchronous timing, then “start” and “stop” bits are used. The sending system sends a “start” bit, then sends its character, and then sends a “stop” bit. This happens for the whole message. The receiving system knows when a character is starting and stopping; thus, it knows how to interpret each character of the message. It is similar to how we communicate in a written letter – I will insert spaces, commas, full stop, etc. to indicate “start”, “pause” or the “end” of the letter.

Just like when we speak verbally, we do not explicitly say “Pause” or “Stop” or “Start” to indicate the beginning or an end of a conversation, in a similar manner, synchronous transmission does not employ any explicit “start” or “stop” bits to indicate the beginning or the end of any transmission. If two systems are going to communicate using the synchronous transmission technology, they do not use start and stop bits, but the synchronization of the transfer of data takes place through a timing sequence, which is initiated by a clock pulse. So, synchronous communication protocols transfer data as a stream of bits instead of framing them in start and stop bits. The synchronization can happen between two systems using a clocking mechanism, or a signal can be encoded into the data stream to let the receiver synchronize with the sender of the message. This synchronization needs to take place before the first message is sent.

In simple terms, asynchronous transmission is like a communication that happens on the satellite phone where the sender and receiver both say “Over” to indicate that they have sent the message while the synchronous transmission is like a normal communication that is done where our pauses at specific intervals indicate the start and the end of transmission. 

Now, having understood this, a question would pop up in your mind. What is the use of this transmission techniques? In today’s digital age where everything is just data that needs to be sent across, there must be rules that govern this transmission. In addition to the rules, the two systems must agree on a way to receive and process data. Synchronous transmission is utilized where we have a predictable data stream (such as Netflix streaming) while Asynchronous transmission is utilized where an unpredictable amount of data can be sent across (Internet connections, torrent downloads).
Ultimately, it’s all about timing.

And speaking of timing, this is a special article for me, as this is the 75th one. :)

Monday, October 22, 2018

The TCP Handshake

We learned about the TCP protocol in the article “Understanding TCP and UDP.” A brief mention was made in that article on the 3-way handshake process. Before we delve into that further, we must recapitulate about the TCP (Transmission Control Protocol).  TCP is a reliable and connection-oriented protocol, which means it ensures packets are delivered to the destination computer. If a packet is lost during transmission, TCP has the ability to identify this issue and resend the lost or corrupted packet. 

Now, before any data is sent across, handshaking takes place between the two systems that want to communicate. Once the handshaking completes successfully, a virtual connection is set up between the two systems. It’s just like a high profile deal that gets signed. Just like in a deal, both the parties discuss on various parameters such as the financial settlement, payment of outstanding dues, shareholding etc., in a similar manner, the two hosts (systems or computers) must agree on certain parameters, data flow, windowing, error detection, etc. 

The following diagram will help us understand the agreement that takes place between the two hosts.

The host (lovely lady here) that initiates communication sends a synchronous (SYN) packet to the receiver. This means that “Would you be interested in establishing a data connection with me?”
The receiver acknowledges this request by sending a SYN/ACK packet which translates to “Yes, I am interested in taking this conversation further. I have acknowledged your request and sending you the details of how to communicate with me.”

The lady accepts this “SYN+ACK” packet and sends an “ACK” packet which translates to “Ok… I understand the terms and conditions. Let’s begin the conversation.”

After this, the host and the other system starts transmission of data between each other. If all were so good in this world, we would not have to deal with the following problems which arise when the lovely lady turns out not to be so lovely.

The lady here has a change of heart and decides to play a trick on the receiver. What she does is, she withholds the last step of the handshake – “ACK”. Since the 3 way-handshake is not complete, the other system keeps on waiting for that. In the meantime, this lady starts another connection with the server and again withholds the last “ACK” packet. If she does it multiple times, it results in what is called as a “SYN Flood” attack. This is actually flooding the victim system with SYN packets, eventually, the victim system allocates all of its available TCP connection resources and can no longer process new requests.

This is an example of DoS attack – Denial of Service. The victim system will not be able to provide any services to any client as all its resources are locked with one system. 

There is another attack – DDoS attack. This is a distributed denial of service attack. Here the attack is from multiple different systems which leave the handshake open and the result is again the denial of service. To put it in the same example, let’s consider that this lovely lady brings together a lot of her friends and ask them to start the handshake process with the victim and leave it in the middle. This would result in a DDoS attack.

There is one more attack mechanism we need to learn about before we say goodbye to each other.

One of the values that are agreed upon during a TCP handshake between two systems is the sequence numbers that will be inserted into the packet headers. Once the sequence number is agreed upon, if a receiving system receives a packet from the sending system that does not have this predetermined value, it will disregard the packet. This means that an attacker cannot just spoof the address of a sending system to fool a receiving system; the attacker has to spoof the sender’s address and use the correct sequence number values.

If an attacker can correctly predict the TCP sequence numbers that two systems will use, then she can create packets containing those numbers and fool the receiving system into thinking that the packets are coming from the authorized sending system. She can then take over the TCP connection between the two systems, which is referred to as “TCP session hijacking”.

Understanding TCP & UDP

Have you ever wondered what happens behind the scenes when you click a video on your favorite website? Or when you are trying to log onto a secure website? There are multiple protocols that run behind the scenes to help you out and allow you to watch that favorite video of yours or buy that dress which you longed for.

Two such important protocols are TCP ( Transmission Control Protocol) and UDP (User Datagram Protocol). These are one of the two most common protocols used during networking and setting up a secure infrastructure. Multiple services run on the top of this protocol or in simple terms utilize their services. Before we go further and understand the technicalities involved, we must try to learn what happens in simple terms.

Everything we work upon is actually one and zeros only in the computer universe. The data that is sent across from one computer to another is a bunch of ones and zeros flowing from here to there. For the sake of simplicity, we will call this bunch as a packet. Say, when you click on YouTube to watch a video, you actually send a command asking YouTube to send some packets from its computer (or server) to your smartphone. Similarly, when you are logging on to Flipkart and checking out from the cart, you are actually sending packets from your computer to Flipkart’s computer. Easy Peasy, Right? So where do TCP and UDP come into this video watching and flipkarting?

TCP is a connection-oriented protocol while UDP is a connectionless protocol. What does this mean? Connection-oriented means that this protocol will ensure that packets (remember, a bunch of 1s and 0s) will be delivered to the destination computer with a 100% guarantee. Connection less protocol means that it will try its level best to deliver the packets, but may not be 100% sure that the packets actually got delivered. The analogy is similar to a registered post and a normal postal letter. In a registered post (TCP), the letter will be delivered to you in hand, while the normal postal letter (UDP) is thrown at your doorstep. You are lucky if you get it.

If you are paying close attention, I have taken two examples above to drive the point of TCP and UDP. Both the examples (video watching and flipkarting) are one of the applications of UDP and TCP respectively. Let’s understand how. When you watch a video, a lot of data is sent across to your computer. Even if one of the packets out of these thousands of packets gets lost in the transmission, you may not even notice as the overall effect on your video may be extremely minimal. This is where UDP is used. Since UDP is a connectionless, best effort protocol, it is used while playing video where even if you lose a few packets, you will not suffer. Since it is a connectionless protocol, it is easy to implement and requires fewer resources and is faster than TCP. On the other hand, when you are doing a payment on an e-commerce website, no packet loss is acceptable as it may affect the transaction. Hence TCP, a connection-oriented protocol needs to be used. TCP will do a 3-way handshake to establish this connection. In order to set up this connection and deliver your packets with 100% guarantee, TCP requires more resources, however, it makes it more reliable. (We will understand about the 3-way handshake and related attacks in the next article.)

If you are a developer, you must decide which protocol to use while delivering a service. TCP and UDP can be used in conjunction with other services too. Say, you develop an email application – SMTP service. If you wish to ensure that the mail gets delivered with 100% guarantee, you may implement SMTP with TCP.

Let’s extend this discussion to understanding the differences between these protocols. If reliability is a requirement, we will go for TCP, else UDP. Since TCP requires a lot of resources to get implemented, it would be prudent to send small amounts of data which require reliability. If a high volume transaction like a video streaming (Netflix) needs to be done, UDP would be a better choice.

What are your thoughts on this?

Saturday, October 20, 2018

[CyberSecurity Awareness Series] When George Got Whaled

The button clicked. An exact amount of 9,99,000 $ was transferred immediately to an offshore untraceable account. This triggered an alert on the bank’s server. The response team quickly swung into action. Suddenly multiple alerts came rushing in like a raging torrent. Multiple transactions of 9,99,000 $ started popping up on the screen. The response team immediately knew it was under attack and triggered the alarm bell, but by then it was rather too late.  

3 Hours Earlier

It was a quiet afternoon and George was enjoying his cup of coffee. Looking outside his glass window, the view from the 22nd floor was amazing. The bank was doing well and the record quarterly profit cemented his position and power as the top man for the bank. George’s phone chimed. He quickly looked at it and smiled. The smile was palpable. The picture message sent made George bring back the memories of last night.

His smile continued and he logged on to his laptop. Due to the regulatory compliance and a freezing period, all major transactions were on hold. Since the declaration period was over yesterday, George was waiting for the go-ahead from the regulatory committee to lift the ban on high-value transactions. Before we go further, it would be nice to introduce the man here. George, a 37-year-old man with great looks and an MBA from the Ivy League was one of the youngest CEOs of the Elegant Bank Corp. Married to a beautiful wife, George was living a dream. Well, and sometimes, dreams do crash.
The mail came and as per process, George had to log in to the bank’s main server and confirm the process of allowing high-value transaction from the evening. He logged on to the bank’s server remotely using his credentials. He received an alert on his phone that the bank’s server is being accessed now. He had to enter a code on his RSA token and voila, it was done. 

The Investigation

George received a call from the response team alerting him that multiple transactions were happening and it could be an attack. George panicked and for a moment he felt as if a white flash of light crossed his eyes. He gathered himself and tried logging in the bank’s server, but to his shock, he was logged out. He tried logging in again and the message said “Wrong Password”. He called up the response team only to find another shocking news. According to the response team, George had changed his password 2 hours earlier and had updated the access control list too. Only George and Mr. Rishabh, one of the boards of directors could access the bank’s server remotely. 
George immediately called in an emergency meeting of the board of directors. He instructed the response team to take any measures to disable the bank’s servers. He also called in the law enforcement and explained to them about the situation.

Swipe Me In

The law enforcement took complete control of all the devices of the bank and started the forensic investigation. Meanwhile, the media had a field day as the news broke out in the morning that the Elegant bank had been hacked to the tune of 4.5 billion $. Funds transferred to the offshore accounts were untraceable and recovering the money was next to impossible. But what lead to this attack? Who could have cracked the high-level security deployed by the bank? The cyber security team of the bank was carrying out their own internal investigation too. 

George was feeling miserable. He felt as if he had been torn apart. He took his mobile phone and logged onto the app “SwipeIt”. The user “FlowerAngel” was not accessible. That was strange for George. He checked it again, but the app said that the profile was no longer accessible.  George was focused on understanding the problem when the desk phone rang. 

The law enforcement agencies had come to meet George. They asked George to hand over his phone and also showed him the search warrant for his office and his home. The next day a story got published in the national daily which shocked quite a many.

The Night Before

The law enforcement agencies were quick to join the dots from the logs and George’s confession was the final confirmation. George had a terrible habit of meeting strangers through the SwipeIt app and spending the nights with them. You could find people nearby who wanted to enjoy and a person had to just swipe in to confirm that.

The night before, George met “Flower Angel”, a young 19-year-old girl. They instantly hit it off and ended up in the hotel nearby. While George was completely drunk, the girl had to just plug in the flash drive into his laptop. The Trojan installed itself on the laptop and the next day when George logged on to the bank’s server, the Trojan replicated his exact moves and gave complete control to the hacker. While there were other security aspects deployed by the bank to mitigate such threats , the technology alone cannot solve the problem when the password is known and complete admin privilges are available with a person of such a high stature.

This is an example of The Whaling attack. Top people are always on the radar of people having malicious intent. They need to be careful. As a cybersecurity professional, we also need to keep in mind such cases when developing a cybersecurity protection mechanism for the top management personnel. 

What are your thoughts on this?

Saturday, October 6, 2018

Understanding Security Modes - Dedicated , System high, Compartmented , Multilevel

Imagine a system that processes information. This information is classified in nature. When we say, its classified, it means that the information has been labeled according to the data classification scheme finalized by the organization. This scheme can be company specific, such as public, internal and confidential or military/government specific such as Confidential, Top Secret, Secret, Public. As a general user or a security professional, you would want that proper controls to be implemented and the system to be secure that processes such information. Imagine a scenario where such a malicious user tries to access this information. What clearance must this person have? Will he/she have access to all classified levels?

Hey!!, stop imagining. Let’s discuss something else now. Hold on, I know, I had asked you to imagine the scenario above. But answers to all your questions would follow, so keep on reading further. We need to learn and understand a few terms before we are ready to hear the answer to the question and what follows after that.

When you access a system, you are the “subject” and the system which you trying to access is the “object”. This works in this fashion – one who accesses is the subject and the one which is being accessed is the object.  Subjects can have varied levels of control over the system. Say, you are trying to access “”. When you access it, you see a front end interface, new offers etc. If I ask to curate an offer for me, you would not be able to do it, as you do not have access to that particular file/folder/database/application/system. So it should be clear that all systems have some kinds of access controls implemented so that you can access the information that you “need to know”.

There is one more concept that needs to be understood and then we would combine all of them to give you one tasty treat. There are multiple access control models. One of them is the Mandatory Access Control Model. Let’s understand it through an example. Jack Ryan works for the Indian Intelligence agency. To complete his mission, should he choose to accept it, he must have access to files which are classified as “Secret”. Moreover, his next mission is in Afghanistan. Mandatory Access control model helps implement that Jack Ryan can access only “Secret” files and that too only of Afghanistan. How? In MAC, users are given a security clearance (secret, top secret, confidential, and so on), and data is classified in the same way. The clearance and classification data are stored in the security labels, which are bound to the specific subjects and objects. When the system makes a decision about fulfilling a request to access an object, it is based on the clearance of the subject, the classification of the object, and the security policy of the system.

In most systems based upon the MAC model, a user cannot install software, change file permissions, add new users, etc. The system can be used by the user for very focused and specific purposes, and that is it. These systems are usually very specialized and are in place to protected highly classified data.

So how does this all relate to the questions we asked in the beginning. The US government has designated four approved security modes for systems that process classified information. Since these systems process classified information, the mandatory access control model will be the only that would be implemented. Before we understand the four different security modes, it would be better to understand what does “Security Mode” mean.

Security modes refer to information systems security modes of operations used in mandatory access control (MAC) systems. Often, these systems contain information at various levels of security classification. The mode of operation is determined by:
  • The type of users who will be directly or indirectly accessing the system.
  • The type of data, including classification levels, compartments, and categories, that are processed on the system.
  • The type of levels of users, their need to know, and formal access approvals that the users will have.