Security – 1h

advertisement

Security – 1h

The Internet – a global network of networks

Information travelling on the internet takes a circuitous route through several intermediate computers and data links to reach any destination computer. You have no control over the route your information takes to reach its destination. This offers possibilities for information to be intercepted and corrupted. Naturally, this raises issues of security.

The aims of computer security

The first aim is the prevention of unauthorised access. We try to prevent assets from being damaged or used by unauthorised interlopers.

If we can’t be successful at that (and we can’t ever guarrantee 100% prevention), we can try to detect when an asset has been damaged or accessed.

On discovery of unauthorised use, we can respond to recover assets, repair damage to assets and inform others.

Issues

Confidentiality: Unauthorised disclosure of information

Integrity: Prevent unauthorised modification of information

Availability: Prevent unauthorised withholding of information

Authenticity: Are you what you say you are ?

Accountability: Can I be sure that the last transaction was encrypted?

Dependability: Will this always be the case, or do you have a non-secure server when the secure server is down?

Username and Password

Password guessing is one way to gain access to a computer. This may be done by various kinds of search. An exhaustive search simply tries all combinations of all characters until it is successful. This can take a long time. Intelligent search techniques use lists of likely or popular passwords – it is faster.

Password spoofing is a way of persuading a user to reveal her password. One way is to pretend to be a from the IT section and ask for the password.

Some are persuaded to log-in to a fake site, pretending to be their bank. Another way is to crack an easy site where security is not so important, and then look for where users have reused passwords on more critical sites.

A hacker may steal a company’s password file. This gives him access to ALL the accounts. What happens if an overseas call-centre starts selling your passwords as well as your credit card data?

Network solutions

Passwords may be checked for strength. Checkers can search for weak passwords

(ones which are in the dictionary). A program can be used to generate random but pronounceable passwords. Force the user to change password every three months or so to stop compromised passwords being used. Then prevent last ten being reused for similar reasons.

The system can limit log-in attempts to prevent brute force attacks. Inform user of number of unsuccessful log-ins so she will be made aware of unauthorised attempts.

The user’s access can be limited only to what she needs: log-in/log-out, server access, database read only or database write.

Cryptography Issues

Three functions of cryptography:

Secure encryption and decryption of data to prevent unauthorised access

Verification that the data was sent by the stated sender

Validation that data was received unaltered

Private-Key Encryption

The same key is used for both encoding and decoding. When sending a message from

A to B:

A encodes a message with his/her private key

A sends the message to B

A must also send his/her private key to B

 B decodes A’s message with A’s private key

This poses the problem of key security: steal the key and the code can be broken.

Every time the key is transferred there is risk of it being intercepted. Furthermore, the same key may be shared by too many people

Public-Key Encryption

Two keys are required: The two keys are different but linked (Asymmetric key-pair).

These are: A public key, which can be copied and given out freely and a private key which is retained by you only. It could reside on your computer as a passwordprotected file (message digest), or it could be stored solely on your floppy disk

(further security). People send you information encoded with your public key that can only be decoded by you with your private key (confidentiality).

Hash functions

A hash function algorithm, such as MD5 (Message-Digest algorithm 5) produces a fixed-length hash (~32 bits) from variable-length message. It is computationally infeasible to find a message with that hash; in fact one can't determine any usable information about a message with that hash, not even a single bit.

A public one-way hash function can be used to speed up a public-key digital signature system. Rather than sign a long message, which can take a long time, compute the one-way hash of the message, and sign the hash.

Passwords may be stored as hashes, so accessing the password file does not compromise the users

Cryptography Issues

The aim of Cryptography is to secure encryption and decryption of data. This usually involves keys (secret codes used by the encryption algorithms). This permits verification that the data was sent by the stated sender. For extra security, a digital signature may be appended, validation that data was received unaltered.

Another security approach is tthe comparison of message digests (hashes).

Digital Certificates

Digital certificates are codes which are attached to a public key to reassure users that the public key they are about to accept is authentic. They are issued by a certification authority (CA) e.g.Verisign. Web browsers have a list of trusted CA’s built into them

In a typical usage scenario, a secure web page offers the web browser a public key (as a digital certificate). The web browser then checks the key for certification and the authority that certified it.

Secure Sockets Layer SSL

The Secure Sockets Layer (SSL) protocol is used to transmit information securely via the Internet. It delivers server authentication (it checks the site digital certificate). It assures message privacy (encryption of information moving between browser and server and unique session keys) and message integrity (it compares message digests).

Firewalls

A firewall is any security system protecting the boundary of an internal network

(intranet, LAN). Its functions are to:

Perform access control based on sender or receiver addresses

Access control based on the service requested

Hiding the internal network from the outside world (e.g. topology, IP addresses)

Virus checking on incoming files

Authentication based on the source of traffic

Logging of internet activities

It does this by packet filtering and the use of proxy servers.

Proxy Servers

A proxy server is a server located between a client (e.g. web browser) and the server the client is trying to contact. It intercepts the client’s request and decides whether it is permitted according to its security rules. It is the only entity seen by the outside world, while it appears transparent to internal users

Hacking - DOS

A Denial of Service attack targets a web server. A malicious hacker causes a service

(e.g. web server or mail server) to be unavailable or unusable. She does this by, for example, sending a stream of connection requests to the server and deplete it of memory or reach the server connection limit. The consequences of this action may be a refusal of further connection requests by the server or poor performance. A DOS attack is often coupled with a blackmail attempt.

Hacking - Cracking Passwords

The successful cracking of user passwords can allow unauthorised remote access to a system. A dictionary attack is the attempt to determine a decryption key or passphrase by searching a large number of likely possibilities. Successful remote access to a user’s account allows files to be copied or corrupted. Hacking used to be a game

– now it is done by criminals for theft.

Virus

A virus is a piece of self-replicating code attached to some other piece of code, with a payload. The payload can range from non-existent/harmless to harmful e.g. deleting/modifying files. A virus can infects a legitimate program by inserting itself into the program code. It can then attack executable program files, the file-directory or the boot process (e.g. bootstrap viruses can attack the BIOS).

Trojan Horses

A trojan horse is a program which produces hidden side-effects not intended by the user executing the program e.g Melissa - a macro virus which via Word attacked MS

Outlook/Express. It can allow passwords and account details to be accessed remotely.

Worms

These are self-replicating, but not infecting. They are designed to attack networks

(use active network connections in order to propagate). They can reduce server efficiency or crash the server. They can also allow information to be accessed remotely

Cookies

A cookie is a text file created by a site’s web server and stored on your host machine by your web browser. It is an information packet sent from a server to a browser and thereafter sent back by the browser each time it access the server. It allows the creation of a user profile to improve user experience of the web (or invasion of privacy?) It can be blocked using browser settings. mjr 6.8.08

Download