Computer Security and
Authentication
CS 5352
Spring 06
Software Engineering Institute
•
•
•
•
Federally funded, sponsored by DoD
Operated by Carnegie Mellon University
About 400 employees
Wants a smooth transfer of new Software
Engineering Technology into practice
• Technical theme:
– Move left
– Reuse everything
– Never make the same mistake twice
CERT Coordination Center
• Overview
–
–
–
–
–
Part of the SEI
Formed by DARPA, 1988, after the worm incident
About 100 employees
3,784 vulnerability reports (2003)
137,529 computer security incidents (2003)
• Purpose
–
–
–
–
Analyse trends in attacks, vulnerabilities, impact
Coordinate responses to security attacks
Methods to evaluate, improve, maintain security
Publish, disseminate good security practices
Survivability
• The ability of a system to fulfill its mission,
in a timely manner, in the presence of
attacks, accidents, and failures
Critical Need for Information Assurance
Incidents Reported to the CERT/CC
160000
140000
137529
120000
100000
82094
80000
60000
52658
40000
21756
20000
2412
2573
2134
3734
0
1995
1996
1997
1998
9859
1999
2000
2001
2002
2003
Critical Need for Information Assurance
Vulnerabilities Reported to the CERT/CC
7000
6000
5000
3784
4129
4000
3000
5990
2437
2000
3780
1090
1000
171
345
311
262
417
0
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005
Critical Need for Indications and
Warnings
Novice Intruders
Use Crude
Exploit Tools
Crude Exploit
Tools Distributed
Advanced
Intruders
Discover
Vulnerability
Automated
Scanning/Exploit
Tools Developed
Widespread Use
of Automated
Scanning/Exploit
Tools
Intruders Begin
Using New Types
of Exploits
Critical Need for Indications and
Warnings
Critical Need for Better
Engineering Methods
• Resistance, recognition, and response must
be integrated into the system and
application architecture
Network protocols
• Designed for Arpanet, over 20 years ago
• But still used nowadays, under a totally
different environment
A Different Internet
•
•
•
•
•
Armies may cease to march
Stock may lose a hundred points
Businesses may be bankrupted
Individuals may lose their social identity
Threats not from novice teenagers, but
purposeful military, political, and criminal
organizations
Why Should You Be Concerned
Personal data
Credit information
Medical information
Purchasing history
Corporate information
Political information
Societal infrastructure
Computer Vulnerability (2001)
Out-of-the-box Linux PC hooked to Internet, not
announced:
[30 seconds] First service probes/scans detected
[1 hour] First compromise attempts detected
[12 hours] PC fully compromised:
–
–
–
–
–
Administrative access obtained
Event logging selectively disabled
System software modified to suit intruder
Attack software installed
PC actively probing for new hosts to intrude
• Clear the disk and try again!
Motivations to Violate Security
•
•
•
•
•
•
Ego
Curiosity
Greed
Revenge
Competition
Political/Ideological
People and Computer Crime
• Most damage not due to attacks
“Oops!”
“What was that?”
• No clear profile of computer criminal
• Law and ethics may be unclear
Types of Attackers
•
•
•
•
•
•
•
Script Kiddies
Old-line hackers
Disgruntled Employees
Organized Crime
Corporate Espionage
Foreign Espionage
Terrorists
Buffer overflow
• The most important avenue for
vulnerabilities
• Good programming practice: always verify
that the input you receive from uncontrolled
source conforms to expected format
Buffer overflow example
rlogin program
main(argc,argv)
int argc;
char *argv[];
{
…
char term[1024];
...
(void)strcpy(term, (p = getenv(“TERM”)) ? p: “network”);
…
}
Authentication
•
Four classic ways to authenticate:
1.
2.
3.
4.
•
something you know (passwords)
something you have (smartcard)
something you are (fingerprint)
something you do (usage signature)
None of these is perfect
Identity theft
•
•
•
Fastest rising crime in the US
FBI won’t help unless losses above
$100,000.
Someone can steal an identity with
just a social security number!!!
Passwords
• Account - person using the system
• Username - Identity of account (public)
– limited characters, alphanumeric & special characters
– typically related to real name of user (not always), certain
names reserved
– unique on system
– fixed at account creation
• Passwords – Verification of identity (private)
– Less limited length and characters
– Fixed until changed
– Non-unique passwords – (both users have bad password)
• Many Multi-user Operating Systems have same
scheme
Password Security
• Password security depends on ONLY
you knowing the password
– Secure selection
– Secure handling
– Secure storage
Password Storage
• “trapdoor encrypted”
– scrambled in a way that cannot be unscrambled
– scrambling folds password over itself - lost bits
– different users with same password won’t have
same scrambled password
– login scrambles entered password and compares
against stored scrambled password
– original concept: since only scrambled passwords
are available, storage is secure (FALSE!)
• longpre:br1eXN8N3pyAB
Password Attacks
• Easy to Hard
– Given password
– Grab password
– Generate password
– Guess password
Given Password
• Look It Up
– Default passwords
– Posted passwords
• Ask for It (Social Engineering)
–
–
–
–
As colleague
As friend
As administrator / authority
As clueless & needy
• Countermeasures
– Education
– Other authentication
Grab Password (locally)
• Physical proximity
– Shoulder surfing
– Countermeasures
• Education
• Exercises
• One-time passwords
• Program access
– Trojan Horse
– Perverted program
– Countermeasures
• Integrity checks
• Other authentication
Other Network Attacks
• Tapping
– Method depends on network medium
– Countermeasures:
• Encryption
• Physical protection & inspection
• Van Eck Radiation
– Current through wire: Radio waves
– Receiver tunes in on hosts/network
– Countermeasures:
• Encryption
• Distance
• Emission Control
Generate Password
• Use a dictionary
• Requires: Scrambled password,
Encryption method & Large dictionary
• Password Cracking
– Natural language words and slang
– Backwards / Forwards / Punctuation and Numbers
inserted
– Program: 27,000 passwords in approx 3 seconds
(Pentium II/133)
• Countermeasures
– Preventive strike (BEWARE)
– Password rules
– Other authentication
Guess Password
• Use knowledge of user
– System information
– Personal information
– Occupation information
• Often combined with dictionary attack
• Countermeasures
– Password rules
– Other authentication
Password Changing
• When?
– Forced or voluntary
– Regularly or event driven
• Considerations
– Increase security?
• Fix a stolen password problem
• However, stolen passwords are often used quickly
• False sense of security
– Too frequent password changes encourage
• weak passwords
• written down passwords
Passwords on Many Machines
• One or Many?
– Ease of memorization vs. likelihood of writing
– Options:
•
•
•
•
Secure stored passwords
Network authentication method
Algorithm for varying passwords
Seldom used passwords in encrypted file
Something You Have
• Convert logical security to physical security
–
–
–
–
One-time pad
Strip card / smart card
Dongle
Challenge-Response calculator
• Problems: Cost & token issuing/handling
• Advantages: Physical presence; hard to
hack
Smart cards for identification
• Hard to duplicate
• If weak protocol and a lot at stake, fakes
WILL appear
• Use of zero-knowledge algorithms
– Guarantee valid user but preserves privacy
• Attacks on smart cards
– Power supply
– Chemical stripping
– Emissions
Something You Are
• Biometrics: Measure physical characteristic
–
–
–
–
–
–
Face geometry
Hand geometry
Fingerprint
Voiceprint
Retinal Scan
Signature
• Advantages: Physical presence, not easily lost
• Disadvantages: Cost, Security, Variation,
Handicaps, Success ratio