lecture 11 b security
DESCRIPTION
TRANSCRIPT
SFDV2001- Web Development
Lecture 11 B: Security
11/09/07 (SFDV2001:22) Security 2
The Plan Security threats
Physical attacks Packet sniffing Phishing, social engineering Worms, Viruses, and Trojan horses
Protecting your machine Scanning Software Updates Encryption, Passwords, Secure transmission
Practical steps
11/09/07 (SFDV2001:22) Security 3
Security Threats The largest security threat to any company is
the people in the company. Jamie Oliver “Naked chef 2”
Security is more than just applying rules to the computer systems.
The main security threats: Phishing, social engineering Physical attacks Worms, Viruses, and Trojan horses Packet sniffing Denial of Service
11/09/07 (SFDV2001:22) Security 4
Defences Culture of secure operation
Always lock the door before you go out Get a neighbour to clear the mail Always use complex passwords Have a working and up to date firewall
Defences: Updating, updating, updating Education Scanning programs Encryption & Passwords Firewalls
11/09/07 (SFDV2001:22) Security 5
Stupidity Most problems caused by ignorance. Only worrying about security when something
has already broken. Believing that a scam is real Thinking “it won’t happen to me” Social Engineering –
finding out about people and using that information to break into systems.
Break in via the weakest link - people
11/09/07 (SFDV2001:22) Security 6
Social Engineering Finding out about people and using that
information to break into systems. Learning about a target person in a company Family, pets, phone numbers Utilising that knowledge to break passwords
Using people to open up a system for you The best technical security will not stop your users
giving away information Security by obscurity does not work!!!!
Computers can search large amounts of data quickly.
Port scanning
11/09/07 (SFDV2001:22) Security 7
Phishing Phishing
Sending emails looking to get personal data Or an attempt to fraudulently acquire sensitive
information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email or an instant message.
Fake web pages Recent examples: Westpac Trust, National Bank. Emails asking you to re-login to a bank web site. Tip: Never trust an email that looks like spam.
Search for the contents and see where it turns up.
11/09/07 (SFDV2001:22) Security 8
http://www.antiphishing.org/reports/
11/09/07 (SFDV2001:22) Security 9
Physical Attacks Physical attacks
Not necessarily related to internet connections, but one of the key problems.
Laptops get stolen. People break in.
Someone could Break in and steal your computer. Connect a computer to a network plug inside your
building and your firewall. Install logging hardware somewhere on your
computer. Software on Internet Cafés terribly insecure.
11/09/07 (SFDV2001:22) Security 10
Worms Worm
A stand alone program that attacks computers and once established tries to spread to other systems. Usually has malicious intent.
Is not the same as a virus as it can infect other systems without users interaction.
Examples Blaster mydoom
11/09/07 (SFDV2001:22) Security 11
Viruses A computer program that replicates itself by
placing its program code inside other applications
Often contains some form of malicious code
Often spread by opening attachments sent via email.
Now on Mobile phones, iPods, and MP3 players
InfectedApp
Virus
App
Virus
App
Virus
11/09/07 (SFDV2001:22) Security 12
Trojan Horses Definition:
A program that contains instructions to perform a task not usually intended by the user
A card game that includes instructions to scan your hard drive for personal information and send it to a computer
Like a virus, but usually not self replicating
11/09/07 (SFDV2001:22) Security 13
Wifi Wifi – wireless fidelity
Your computer is a radio station and a radio receiver.
All data is sent as a radio signal. War Driving
Is the name for driving around breaking into wireless networks
War Chalking Walking around writing in chalk on the sidewalk
where open wireless networks are. Most wireless networks are not very secure!
11/09/07 (SFDV2001:22) Security 14
Wifi Access George Street
Alhambra Oaks HOTSPOT Internet BSS 00:00:00:00:00:00 2:13:52 Telecom wireless hotspot BSS 00:03:52:f9:18:40 2:14:34 linksys BSS 00:12:17:68:f3:16 2:14:36 Comsouth Wireless Hotspot Access BSS 00:a0:c5:41:ec:f0 2:14:45 default BSS 00:11:95:56:02:ad 2:14:49 Telecom wireless hotspot BSS 00:03:52:f2:37:30 2:15:20 onlyNZ BSS 00:0f:66:23:2b:77 2:16:02 FC BSS 00:13:46:bb:77:5e 2:16:02 Laptop ad-hoc 02:0c:f1:38:10:96 2:16:11 Apple Network ecdd95 BSS 00:11:24:ec:dd:95 2:16:12 Larsons_Central BSS 00:0f:3d:ab:25:50 2:16:15 McRobieAirport BSS 00:11:24:eb:b4:ed 2:16:23 Hoyts Octagon BSS 00:13:10:6c:82:1f 2:17:06 WigramWireless BSS 00:0f:3d:b3:72:22 2:17:16 pjcox BSS 00:0f:3d:b3:6a:6e 2:17:16 Woodhouse Partners BSS 00:14:bf:3d:89:5e 2:17:18 BSS 00:13:10:4f:f2:ac 2:17:26 THECOMMONROOM BSS 00:11:50:50:29:b8 2:17:35 Bpac BSS 00:0f:3d:68:dc:95 2:17:43
11/09/07 (SFDV2001:22) Security 15
Free Wifi Crn George and Albany – 2pm Tuesday Accessed a Wifi named SpeedTouch Full open internet access
Provided a DNS server and full download Security risk very high
I could do anything illegal, immoral, or costly All they would know is that the signal came in
through their wireless network.
11/09/07 (SFDV2001:22) Security 16
Packet Sniffing Snooping on the packets in a network.
If you do this here you will be thrown out immediately.
Each packet passes through many other computers in the network, normally computers ignore packets not addressed to them.
Set up a computer to check packets addressed to other computers. Check for the usernames which are often followed by passwords.
Sniff for the word “exam”, or “budget”, etc.
11/09/07 (SFDV2001:22) Security 17
Denial of Service Try to deny a company access to the internet or
their email. Release a worm (eg Blaster), Trojan horse, or
virus that includes code to connect to a particular machine at a set time.
If millions of machines are sending requests for pages the server becomes overloaded. The same is true of email.
University of Otago suffered a network outage for 5 hours because of a DoS attack.
Time Frame: 18 April 2005: Approximately 9.00am - 2.00pm
11/09/07 (SFDV2001:22) Security 18
Defences Vulnerabilities are not a problem until someone
discovers them. Others have probably experience a problem before
you do. Companies try to fix holes when the are found.
Updating Update your software frequently. Windows XP updates,Firefox, OSX, …. Security is an “arms race” make sure you don’t
bring a knife to a gun fight. Update all the programs as anything that connects
to the internet could have a problem that allows people access.
11/09/07 (SFDV2001:22) Security 19
Education and Scepticism Don’t trust spam. Understand the threats and don’t get sucked in
by offers. Read security notices – AusCERT for example Check for program updates – turn on auto
updates for software Pay attention to the security on your system If you are going to use and internet Café, check
the security and ask about key loggers.
11/09/07 (SFDV2001:22) Security 20
Scanning Programs AntiVirus software now big business These systems scan you computer for files that
match a list of virus definitions that are regularly updated
Checks every program to see if they contain suspect code
AVG is good and free (www.grisoft.com) Norton Antivirus from Symantic is also good
11/09/07 (SFDV2001:22) Security 21
Encryption Securing information by converting it from plain
text into something else Things to consider:
Speed of encryption. How long is the message relevant? Who needs to decrypt the message?
Encryption algorithms are called ciphers Skytala cipher, write text down the pole
Romans used these RSA public key system 128bit very secure
11/09/07 (SFDV2001:22) Security 22
Passwords If you select an easy password then no security
system will protect you. Every word in the English language can be
checked in about 10 minutes. If a computer can check two thousand
passwords per second, the dictionary is done in a few minutes.
Password not stored, encrypted password stored and new string is tested by encrypting it and testing to see if it is the same as the stored version.
11/09/07 (SFDV2001:22) Security 23
Passwords
Everybody can see passwd But you don’t know what to type to make crypt
spit out the string stored in the password file Given time you can crack the passwd file so for
security you need to change passwords every few months
Simon:Jd94@tg*7lf;5:Peter:7yg$dj#z,Gdew:David:mvj^jsl59Lksw:....
User:SimonPassword: Tow1ttf
Tow1ttf crypt Jd94@tg*7lf;5
/etc/passwd
11/09/07 (SFDV2001:22) Security 24
End to End Encryption You cannot trust the physical security of the
network. Encryption should occur at each end The sending and the receiving machine should
encrypt and decrypt any communication. Everything in between should be treated as
public communication which anyone can see. Email is not secure, neither are text messages
or chat programs
11/09/07 (SFDV2001:22) Security 25
SSH and SFTP Telnet sends passwords as plain text. Any
computer could intercept these passwords. FTP sends files and usernames and password
unencrypted. SSH and SFTP are secure versions of Telnet
and FTP. They encrypt all the communication between two
computers. Packet sniffers will not gain access to your data
11/09/07 (SFDV2001:22) Security 26
https Secure http connection. Uses SSL to have
secure transmission of information. Padlock icon -
Certificates VeriSign registers pages so that you can check that
the page you are connecting to is owned by the company you want to connect to.
Only protects information on the internet. Keyloggers will still grab your information
11/09/07 (SFDV2001:22) Security 27
Firewall Software / hardware that prevents unauthorised
access to or from a private network or computer. Private network is a collection of computers that are
networked together. Every single packet is checked against a set of
rules to make sure that it is part of the communication that you want to happen.
Programs communicate using ports – port 80 is agreed to be the http protocol port A Firewall can block ports so that connections
cannot be made to your machine on a blocked port.
11/09/07 (SFDV2001:22) Security 28
Proxy server / gateway Proxies are “middle men”.
Client
Server
ProxyMake
decisions about
connections
Client
Server
11/09/07 (SFDV2001:22) Security 29
Proxy The proxy firewall can protect you in a number
of ways: Worms cannot connect to your computer or from
your computer Trojans and viruses may not be able to send
information back out to the network Can scan for viruses and some Trojans Your computers IP number can remain hidden so
that it is harder to collect information about you
11/09/07 (SFDV2001:22) Security 30
Practical steps Do
Update, update and update. Use good unique passwords. Have different levels of passwords. Password protect your laptop. Change your passwords on a regular basis.
Don't Use words, names, birthdays etc. in passwords. Put private information in obvious places. Click links in emails. Give out information about passwords asked for via
email.
11/09/07 (SFDV2001:22) Security 31
Practical Steps Do
Set up Windows firewall XP Service Pack 2 has firewall as standard
Use a proxy Install antivirus software Think about what you have to lose.
Don't Download executables from pirate sites Try to do any packet sniffing