computer security and authentication
DESCRIPTION
Computer Security and Authentication. CS 5352 Spring 06. Software Engineering Institute. Federally funded, sponsored by DoD Operated by Carnegie Mellon University About 400 employees Wants a smooth transfer of new Software Engineering Technology into practice Technical theme: Move left - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/1.jpg)
Computer Security and Authentication
CS 5352
Spring 06
![Page 2: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/2.jpg)
Software Engineering Institute
• Federally funded, sponsored by DoD• Operated by Carnegie Mellon University• About 400 employees• Wants a smooth transfer of new Software
Engineering Technology into practice• Technical theme:
– Move left– Reuse everything– Never make the same mistake twice
![Page 3: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/3.jpg)
CERT Coordination Center• Overview
– Part of the SEI– Formed by DARPA, 1988, after the worm incident– About 100 employees– 3,784 vulnerability reports (2003)– 137,529 computer security incidents (2003)
• Purpose– Analyse trends in attacks, vulnerabilities, impact– Coordinate responses to security attacks– Methods to evaluate, improve, maintain security – Publish, disseminate good security practices
![Page 4: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/4.jpg)
Survivability
• The ability of a system to fulfill its mission, in a timely manner, in the presence of attacks, accidents, and failures
![Page 5: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/5.jpg)
Critical Need for Information Assurance Incidents Reported to the CERT/CC
21756
52658
82094
137529
98593734213425732412
0
20000
40000
60000
80000
100000
120000
140000
160000
1995 1996 1997 1998 1999 2000 2001 2002 2003
![Page 6: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/6.jpg)
Critical Need for Information Assurance Vulnerabilities Reported to the CERT/CC
3780
5990
1090
2437
4129
3784
417262311345171
0
1000
2000
3000
4000
5000
6000
7000
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005
![Page 7: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/7.jpg)
AdvancedIntrudersDiscover
Vulnerability
Crude ExploitTools Distributed
Novice IntrudersUse Crude
Exploit Tools
AutomatedScanning/ExploitTools Developed
Widespread Use of Automated Scanning/Exploit Tools
Intruders Begin Using New Types of Exploits
Critical Need for Indications and Warnings
![Page 8: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/8.jpg)
Critical Need for Indications and Warnings
![Page 9: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/9.jpg)
Critical Need for Better Engineering Methods
• Resistance, recognition, and response must be integrated into the system and application architecture
![Page 10: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/10.jpg)
Network protocols
• Designed for Arpanet, over 20 years ago
• But still used nowadays, under a totally different environment
![Page 11: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/11.jpg)
A Different Internet• Armies may cease to march
• Stock may lose a hundred points
• Businesses may be bankrupted
• Individuals may lose their social identity
• Threats not from novice teenagers, but purposeful military, political, and criminal organizations
![Page 12: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/12.jpg)
Why Should You Be Concerned
Personal data
Credit information
Medical information
Purchasing history
Corporate information
Political information
Societal infrastructure
![Page 13: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/13.jpg)
Computer Vulnerability (2001)Out-of-the-box Linux PC hooked to Internet, not announced:[30 seconds] First service probes/scans detected[1 hour] First compromise attempts detected[12 hours] PC fully compromised:
– Administrative access obtained– Event logging selectively disabled– System software modified to suit intruder– Attack software installed– PC actively probing for new hosts to intrude
• Clear the disk and try again!
![Page 14: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/14.jpg)
Motivations to Violate Security
• Ego
• Curiosity
• Greed
• Revenge
• Competition
• Political/Ideological
![Page 15: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/15.jpg)
People and Computer Crime
• Most damage not due to attacks“Oops!”“What was that?”
• No clear profile of computer criminal
• Law and ethics may be unclear
![Page 16: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/16.jpg)
Types of Attackers
• Script Kiddies
• Old-line hackers
• Disgruntled Employees
• Organized Crime
• Corporate Espionage
• Foreign Espionage
• Terrorists
![Page 17: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/17.jpg)
Buffer overflow
• The most important avenue for vulnerabilities
• Good programming practice: always verify that the input you receive from uncontrolled source conforms to expected format
![Page 18: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/18.jpg)
Buffer overflow example
rlogin programmain(argc,argv) int argc; char *argv[];{… char term[1024];...(void)strcpy(term, (p = getenv(“TERM”)) ? p: “network”);…}
![Page 19: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/19.jpg)
Authentication
• Four classic ways to authenticate:1. something you know (passwords)
2. something you have (smartcard)
3. something you are (fingerprint)
4. something you do (usage signature)
• None of these is perfect
![Page 20: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/20.jpg)
Identity theft
• Fastest rising crime in the US
• FBI won’t help unless losses above $100,000.
• Someone can steal an identity with just a social security number!!!
![Page 21: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/21.jpg)
Passwords• Account - person using the system• Username - Identity of account (public)
– limited characters, alphanumeric & special characters– typically related to real name of user (not always), certain
names reserved – unique on system– fixed at account creation
• Passwords – Verification of identity (private)– Less limited length and characters– Fixed until changed– Non-unique passwords – (both users have bad password)
• Many Multi-user Operating Systems have same scheme
![Page 22: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/22.jpg)
Password Security
• Password security depends on ONLY you knowing the password– Secure selection– Secure handling – Secure storage
![Page 23: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/23.jpg)
Password Storage
• “trapdoor encrypted”– scrambled in a way that cannot be unscrambled– scrambling folds password over itself - lost bits– different users with same password won’t have
same scrambled password– login scrambles entered password and compares
against stored scrambled password– original concept: since only scrambled passwords
are available, storage is secure (FALSE!)
• longpre:br1eXN8N3pyAB
![Page 24: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/24.jpg)
Password Attacks
• Easy to Hard– Given password– Grab password– Generate password– Guess password
![Page 25: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/25.jpg)
Given Password• Look It Up
– Default passwords– Posted passwords
• Ask for It (Social Engineering)– As colleague– As friend– As administrator / authority– As clueless & needy
• Countermeasures– Education– Other authentication
![Page 26: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/26.jpg)
Grab Password (locally)• Physical proximity
– Shoulder surfing– Countermeasures
• Education• Exercises• One-time passwords
• Program access– Trojan Horse– Perverted program– Countermeasures
• Integrity checks• Other authentication
![Page 27: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/27.jpg)
Other Network Attacks• Tapping
– Method depends on network medium
– Countermeasures: • Encryption
• Physical protection & inspection
• Van Eck Radiation– Current through wire: Radio waves
– Receiver tunes in on hosts/network
– Countermeasures:• Encryption
• Distance
• Emission Control
![Page 28: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/28.jpg)
Generate Password• Use a dictionary• Requires: Scrambled password,
Encryption method & Large dictionary• Password Cracking
– Natural language words and slang– Backwards / Forwards / Punctuation and Numbers
inserted– Program: 27,000 passwords in approx 3 seconds
(Pentium II/133)
• Countermeasures– Preventive strike (BEWARE)– Password rules– Other authentication
![Page 29: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/29.jpg)
Guess Password• Use knowledge of user
– System information– Personal information– Occupation information
• Often combined with dictionary attack
• Countermeasures– Password rules– Other authentication
![Page 30: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/30.jpg)
Password Changing• When?
– Forced or voluntary– Regularly or event driven
• Considerations– Increase security?
• Fix a stolen password problem• However, stolen passwords are often used quickly• False sense of security
– Too frequent password changes encourage• weak passwords • written down passwords
![Page 31: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/31.jpg)
Passwords on Many Machines
• One or Many?– Ease of memorization vs. likelihood of writing – Options:
• Secure stored passwords
• Network authentication method
• Algorithm for varying passwords
• Seldom used passwords in encrypted file
![Page 32: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/32.jpg)
Something You Have• Convert logical security to physical security
– One-time pad– Strip card / smart card– Dongle– Challenge-Response calculator
• Problems: Cost & token issuing/handling
• Advantages: Physical presence; hard to hack
![Page 33: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/33.jpg)
Smart cards for identification• Hard to duplicate
• If weak protocol and a lot at stake, fakes WILL appear
• Use of zero-knowledge algorithms– Guarantee valid user but preserves privacy
• Attacks on smart cards– Power supply– Chemical stripping– Emissions
![Page 34: Computer Security and Authentication](https://reader036.vdocuments.site/reader036/viewer/2022081506/56813521550346895d9c8308/html5/thumbnails/34.jpg)
Something You Are• Biometrics: Measure physical characteristic
– Face geometry
– Hand geometry
– Fingerprint
– Voiceprint
– Retinal Scan
– Signature
• Advantages: Physical presence, not easily lost• Disadvantages: Cost, Security, Variation,
Handicaps, Success ratio