security chapter 15 cns 3660. crackers "malicious computer users" varying intentions and...
Post on 18-Dec-2015
216 views
TRANSCRIPT
![Page 1: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/1.jpg)
SECURITYSECURITYChapter 15
CNS 3660
![Page 2: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/2.jpg)
CrackersCrackers
"malicious computer users"
Varying intentions and abilities
What motivates people to break into computer systems?
Also: Does it matter what their motivations are?
![Page 3: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/3.jpg)
MotivationMotivation
• a challenge
• notoriety
• ideological"cyber warfare"
• steal money
• free goods and services
• fun
![Page 4: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/4.jpg)
Stopping crackersStopping crackers
• Back up important information
• Have hiring policies that attract honest and loyal staff
• Choose secure software and keep it up to date
• Train staff to identify weaknesses
• Use audits and logs to detect break-ins
![Page 5: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/5.jpg)
"Most successful attacks on computer systems take advantage of well-known weaknesses such as easily guessed passwords, common misconfigurations, and old versions of software."
![Page 6: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/6.jpg)
How important is your information?
How important is your information?
• Hobby user
• Business
• Bank
• Military
Why would crackers break into a hobby system?
![Page 7: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/7.jpg)
"Even the computer with the least interesting data still has significant appeal as an anonymous launching pad for attacks on other systems."
![Page 8: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/8.jpg)
Security ThreatsSecurity Threats
• Exposure of
confidential data
• Loss of data
• Repudiation
• Modification of
data
• Denial of service
• Errors in software
![Page 9: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/9.jpg)
Exposure of confidential data
Exposure of confidential data
• Don't store secret info on web server– Info that is provided to the public– Info that has recently been collected from the
public
• Remove unnecessary services
• Design, configure, code and test carefully
• Require authentication
• Use encryptionMore on these two subjects later
![Page 10: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/10.jpg)
Loss of dataLoss of dataBreak-ins, careless employees, hard drive crash
• Back up your data
Keep back ups away from your computer– Safe deposit boxes in two different cities– Source code, compiler, OS, etc.– Copy of thesis in seven different places (car,
freezer, etc.)
• Test your recovery procedure
![Page 11: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/11.jpg)
Modification of dataModification of data
Prevent:
File permission facilities of OS
Encryption
Detect: can be difficult
Checksums
Store off-line
Recover:
Logs and back-ups
![Page 12: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/12.jpg)
Denial of service (DoS)Denial of service (DoS)
someone's actions make it difficult or impossible to users to access a service
Year 2000 attacks on eBay, Amazon, Yahoo!, etc.
"one of the most difficult threats to guard against"
Why?
![Page 13: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/13.jpg)
Errors in softwareErrors in software
• Web projects often have short development times
• Effects of errors in software– service unavailability– security breaches– financial losses– poor service to customers
![Page 14: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/14.jpg)
Common causes of errors
Common causes of errors
• Poor specifications
• Assumptions made by developers– Data will be valid, will not contain unusual
characters, or will be less than a certain size
– Assumptions about timing of events
• Poor testing
![Page 15: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/15.jpg)
Secure codingSecure coding
Is the strcpy function in C and C++ a security problem?
![Page 16: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/16.jpg)
"Historically, the operating system or application level weaknesses exploited by crackers have usually been related either to buffer overflows or race conditions."
![Page 17: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/17.jpg)
RepudiationRepudiation
• "when a party involved in a transaction denies having taken part"
• Issues:– Authentication– Tamperproof messages
• E-commerce companies get certificates
• Customers do not have certificates
![Page 18: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/18.jpg)
Balancing Usability, Performance, Cost, and
Security
Balancing Usability, Performance, Cost, and
Security• Competing goals
• Ask yourself:– How valuable is your information?– What is your budget?– How many visitors do you expect to serve?– What obstacles will users put up with?
![Page 19: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/19.jpg)
Authentication Principles
Authentication Principles
Authentication: proving that someone is who they claim to be
What authentication techniques are you familiar with?
Which are in common use on the web?
![Page 20: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/20.jpg)
Authentication techniques
Authentication techniques
• passwords
• digital signatures
• biometric techniques
• hardware– smart cards, keys, etc.
• documents– passport, driver's license, etc.
What are biometric techniques?
![Page 21: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/21.jpg)
Authentication techniques
Authentication techniques
• passwords
• digital signatures
• biometric techniques
• hardware– smart cards, keys, etc.
• documents– passport, driver's license, etc.
Only these two are commonly used with web applications.
![Page 22: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/22.jpg)
PasswordsPasswords
• Simple concept that is widely used.
• Secure as long as no one else finds out the password.
What are the advantages and disadvantages of using passwords?
![Page 23: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/23.jpg)
Advantages of passwords
Advantages of passwords
• Simple, cheap, and easy
• Relatively effective
![Page 24: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/24.jpg)
Disadvantages of passwords
Disadvantages of passwords
• Passwords can be captured from file or network traffic (especially unencrypted)
• Many passwords are easily guessed– Educate users
– Enforce password selection policy
What happens if you force selection of hard-to-remember passwords?
![Page 25: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/25.jpg)
user name fred
password k3%mq9
How users remember hard-to-remember passwords
![Page 26: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/26.jpg)
Creating passwordsCreating passwords
• Random character strings
• Combination of two short words with special characters or digits
• First letter in phrase or line from song
• Dicewarehttp://world.std.com/~reinhold/diceware.html
![Page 27: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/27.jpg)
HTTP basic authentication
HTTP basic authentication
• Server requests authentication info
• Browser stores details and gives to server with each request
• Transmits user id and password in clear
• Set up realm name, user names, passwords
![Page 28: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/28.jpg)
Problems with basic authentication
Problems with basic authentication
• No secure identification of host
• Cracker can replay request
• Cracker can capture packets and obtain password– HTTP provides digest authentication which
uses MD5 to "disguise the details"--slightly more secure than plaintext
![Page 29: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/29.jpg)
Basic authentication with Apache
Basic authentication with Apache
• Can use .htaccess file in directory– Server must parse file with every request
• Can also use httpd.conf file– more efficient than .htaccess
• Use htpasswd command to create password file– encrypts passwords
![Page 30: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/30.jpg)
Encryption basicsEncryption basics
"An encryption algorithm is a mathematical process to transform information into a seemingly random string of data."
PlainText
EncryptionAlgorithm
CypherText
![Page 31: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/31.jpg)
One-way encryptionOne-way encryptionEncryption algorithm is not reversible for one-way encryption.
When is one-way encryption useful?
PlainText
EncryptionAlgorithm
CypherText
![Page 32: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/32.jpg)
Two-way encryptionTwo-way encryption• Decryption algorithm recovers plain text.
• Encryption and decryption require same key
EncryptionAlgorithm
CypherText
PlainText
DecryptionAlgorithm
PlainText
Key
![Page 33: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/33.jpg)
Public key encryptionPublic key encryption• Two keys:
– Private key is secret– Public key is distributed freely
EncryptionAlgorithm
CypherText
PlainText
DecryptionAlgorithm
PlainText
Public key Private key
![Page 34: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/34.jpg)
Digital signatureDigital signature• Encrypt with private key
– Usually only encrypt message digest (hash)
• Decrypt with public key to verify
EncryptionAlgorithm
CypherText
PlainText
DecryptionAlgorithm
PlainText
Public keyPrivate key
![Page 35: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/35.jpg)
Digital CertificatesDigital Certificates
• Issued by certifying authority (CA)– e.g. Verisign, etc.
• Signed by CA (encrypted with private key)
• Includes server's public key
• More later with secure transactions
![Page 36: SECURITY Chapter 15 CNS 3660. Crackers "malicious computer users" Varying intentions and abilities What motivates people to break into computer systems?](https://reader030.vdocuments.site/reader030/viewer/2022032800/56649d225503460f949f8dd2/html5/thumbnails/36.jpg)
Other security issuesOther security issues
• Auditing and logging
• Firewalls
• Data backups
• Physical security