9 Essential 系统安全 面试问题 *

“Pentest” is short for “penetration test”, involves having a trusted security 专家 attack a system for the purpose of discovering, 和修复, security vulnerabilities before malicious attackers can exploit them. This is a critical procedure for securing a system, as the alternative method for discovering vulnerabilities is to wait for unknown agents to exploit them. By this time it is, of course, too late to do anything about them.

为了保证系统的安全, it is advisable to conduct a pentest on a regular basis, especially when new technology is added to the stack, or vulnerabilities are exposed in your current stack.

“Social engineering” refers to the use of humans as an attack vector to compromise a system. It involves fooling or otherwise manipulating human personnel into revealing information or performing actions on the attacker’s behalf. Social engineering is known to be a very effective attack strategy, since even the strongest security system can be compromised by a single poor decision. 在某些情况下, highly secure systems that cannot be penetrated by computer or cryptographic means, can be compromised by simply calling a member of the target organization on the phone and impersonating a colleague or IT professional.

Common social engineering techniques include 网络钓鱼, “点击劫持”, 引诱, although several other tricks are at an attacker’s disposal. Baiting with foreign USB drives was famously used to introduce the 超级工厂病毒 worm into Iran’s uranium enrichment facilities, damaging the nation’s ability to produce nuclear material.

For more information, a good read is Christopher Hadnagy’s book Social Engineering: The Art of Human Hacking.

This is an ideal situation for injection and querying. If we know that the server is using a database such as SQL with a PHP controller, 这变得很简单. We would be looking to test how the server reacts to multiple different types of requests, 以及它所反射回来的, 寻找异常和错误.

代码注入就是一个例子. If the server is not using authentication and evaluating each user, one could simply try /索引.php?参数= 1;系统(“id”) and see if the host returns unintended data.

Ideally you want all of your data to pass through an encrypted connection. 这通常需要通过隧道 SSH into whatever outside service you need, over a 虚拟专用网 (VPN). Otherwise, you’re vulnerable to all manner of attacks, from 中间人, to 专用门户利用等等.

An air gapped machine is simply one that cannot connect to any outside agents. From the highest level being the internet, to the lowest being an intranet or even bluetooth.

Air gapped machines are isolated from other computers, are important for storing sensitive data or carrying out critical tasks that should be immune from outside interference. For example, a nuclear power plant should be operated from computers that are behind a full air gap. 在很大程度上, real world air gapped computers are usually connected to some form of intranet in order to make data transfer and process execution easier. 然而, every connection increases the risk that outside actors will be able to penetrate the system.

The first task is to do a full clean and make sure that the employees’ machines aren’t compromised in any way. This would usually involve something along the lines of a selective backup. One would take only the very necessary files from one computer and copy them to a clean replica of the new host. We give the replica an internet connection and watch for any suspicious outgoing or incoming activity. Then one would perform a full secure erase on the employee’s original machine, to delete everything right down to the last data tick, before finally restoring the backed up files.

The keys should then be given out by transferring them over wire through a machine or device with no other connections, 输入任何必要的 .p7s email certificate files into a trusted email client, then securely deleting any trace of the certificate on the originating computer.

The first step, cleaning the computers, may seem long and laborious. 从理论上讲, if you are 100% certain that the machine is in no way affected by any malicious scripts, then of course there is no need for such a process. 但是在大多数情况下, 你永远无法确定这一点, if any machine has been backdoored in any kind of way, this will usually mean that setting up secure email will be done in vain.

First, one should be considering whether to even attempt circumventing the encryption directly. Decryption is nearly impossible here unless you already happen to have the private key. Without this, your computer will be spending multiple lifetimes trying to decrypt a 2048-bit key. It’s likely far easier to simply compromise an end node (i.e. 发送者或接收者). 这可能涉及网络钓鱼, exploiting the sending host to try and uncover the private key, or compromising the receiver to be able to view the emails as plain text.

A script is FUD to an antivirus when it can infect a target machine and operate without being noticed on that machine by that AV. This usually entails a script that is simple, small, precise

了解如何编写FUD脚本, one must understand what the targeted antivirus is actually looking for. 如果脚本包含事件，例如 Hook_Keyboard (), File_Delete (), or File_Copy (), it’s very likely it wil be picked up by antivirus scanners, so these events are not used. 进一步, FUD scripts will often mask function names with common names used in the industry, 而不是把它们命名为 fToPwn1337 (). A talented attacker might even break up his or her files into smaller chunks, 然后十六进制编辑每个单独的文件, thereby making it even more unlikely to be detected.

As antivirus software becomes more and more sophisticated, attackers become more sophisticated in response. 防病毒软件，例如 迈克菲 is much harder to fool now than it was 10 years ago. 然而, there are talented hackers everywhere who are more than capable of writing fully undetectable scripts, 谁将继续这样做. Virus protection is very much a cat and mouse game.

A 中间人攻击 is one in which the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. 主动窃听就是一个例子, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker, who even has the ability to modify the content of each message. 常缩写为 MITM, MitM, or MITMA，有时也被称为 会话劫持攻击, it has a strong chance of success if the attacker can impersonate each party to the satisfaction of the other. MITM attacks pose a serious threat to online security because they give the attacker the ability to capture and manipulate sensitive information in real-time while posing as a trusted party during transactions, 对话, 以及数据的传输. This is straightforward in many circumstances; for example, an attacker within reception range of an unencrypted WiFi access point, can insert himself as a 中间人.