Lecture 7 Security

advertisement
Rev D 10/21/14
Lecture 7 Security
Privacy-definition given in the “Fluency” text
The right of people to choose freely under what circumstances and to what
extent they will reveal themselves, their attitude, and their behavior to others.
Payment of a transaction with a credit card, check,..….ties the purchaser to the
item(s) selection. This info can be handled very differently.
Levels of privacy
1. No use of information. When the monetary compensation is settled all
personal collected info is deleted.
2. Opt-in requires approval by the individual as to the vendors use of the
personal info.
3. Opt-out requires a notice by the individual to prevent any use of the info by
the store.
4. No limits allows the vendor to do as they please with the collected info as if
it is their property.
In 1980 the Office of Economic Cooperation and Development (OECD). A 29
member international organization concerned with international trade decided
on a set of points defining privacy.
The European Union and many other countries adopted these principals as laws.
Their privacy laws covered all trade. The US on the other hand has not fully
implemented these principals in general law. In only certain specific areas of
commerce there is a strict following of these privacy principals.
Those countries following the stricter OECD principals are more like level 2.
The US follows more level 3.
Multinational companies coming out of the US have problems obtaining info
collected in Europe. Two major problems do not allow the US companies to move
date from an EU country to US.
1. Opt-in vs. Opt-out
1
2. A government office to enforce compliance of privacy laws vs. the
depending upon the private sector doing its own policing.
Tight privacy drastically affect the marketing industry.
Phishing – See http://en.wikipedia.org/wiki/Phishing
Is a method of doing identity theft by sending an email requesting personal
information. The email appears to come from a reputable organization, but in
reality is a fabrication.
Cookies http://computer.howstuffworks.com/cookie.htm
Definition – A cookie is a text file that a web server can store on a users hard disc.
Implementation –
1. First time user accesses a web site with a request for page.
2. Web server sends back page plus a small text file (a cookie) that at the
minimum contains an id for that particular computer. If cookies are
enabled then the cookie is stored on the users hard disc
3. On further requests by the user of the same web site the cookie is also
transmitted. This way the web server knows who is contacting it versus any
other user.
Allows for the following such advantages to both.
a. Shopping carts
b. Login Info
c. Personalizing site
d. Number of different users patronizing site
e. Number of times the same user patronizes site
Problems
1. Third party cookies are usually done by advertising organizations. A
browser only allows the receiving site to see only its own cookies. Yet there
is a loophole. An advertising outfit will place links to its ad images or
content on the web site being addressed. For the user to down load the
2
full page it has to also access the advertiser’s web site whereby a cookie is
also transmitted with the corresponding image. This method allows the
advertising organization to define a profile of all the places you have visited
where they have their adds placed. Double Click is an example of this. In
the Fluency text it is noted that a major security expert testified that in a
monitoring of a period of computer transactions he found 10% of them
were to double click. This is amazing since his intention was never to
access this site. Certainly they were obtaining a good profile of URLs being
visited.
2. Different users on same machine.
3. Cookies get erased.
4. Same user on multiple machines.
Secure Communication
In order to store and transmit information securely we usually encrypt it so
that it looks like gibberish. The original text is called plaintext and the encrypted
state is cipher text.
1. Passwords entered are usually only encrypted through some type of
algorithm. They are then compared with a copy of the true encrypted
state. If identical the password is correct. No decryption required in this
situation.
2. Private key or symmetric encryption used for very secure transmission.
Both sender and recipient have the same private key which is used with the
plaintext to produce the cipher text. The reverse, the restoration of the
plaintext is done at the recipient’s station through use again of the same
private key.
Problem
a. One has to have this secure key provided to both sides. They are usually
located far away.
b. A user would have to have a key for every site they need secure
transmission.
A very early example is Caesar’s cipher – see
http://en.wikipedia.org/wiki/Caesar_cipher
3
A more recent method is take the text and convert the plain text into their
ascii representation of binary code and then do an xor (exclusive or) of the
plaintext binary with the private key. The private key is smaller than the
text so there is a continuous xor of the same key with blocks of the code.
Suppose I used a 4 bit key such as 1101
Thus a plaintext of
10010001
Encrypt
key of
11011101
Produce cipher text of 01001100
Decrypt key of
11011101
Reproduces plaintext
10010001
So we see that the use of the xor function has the property to encrypt and
then applying the inverse to decrypt.
3. Public key or asymmetrical encryption is implemented with both a public
and a private key.
a. Encryption – Public key is provided to all who would communicate with
server. The user obtains the servers public key from a Key Distribution
Center (KDC) which holds all public keys for the various sites. The user
will transmit an encrypted piece of data using this public key. The
recipient can decrypt the cipher text using its private key. Of course the
public and the private key are related to each other. The recipient’s
private key would only work on the cipher text encrypted with its
corresponding public key.
b. Digital signature – How are we sure we receive info from a party who is
whom they say they are? We use what we call a digital signature which
also uses public key encryption. Only in this case the encryption is first
done by the sender of the document using its private key. The recipient
then uses a public key to decrypt for an authentication.
c. Trusted certificates – Another question is how do we know this is a valid
organization that we can trust. They send us a public key, but they can
be a dishonest organization. We have organizations that are listed on
our browser as accepted. These organizations are called certificate
authority (CA). A web site such as Amazon. Com then pays these
4
organizations to vouch for them. They investigate that the information
in the applied certificate is genuinely correct. They then give this
approval with their digital signature just like a notary public does. Then
when this web site with a secure SSL connection is being requested by a
user it sends this document (certificate) to prove its identity just like in
the physical world the analogy of a drivers license or a passport.
Upon receipt of a certificate the user’s computer checks the following:
1. The current web page URL matches the name site listed on the
certificate.
2. The trusted CA listed in the certificate is on the browsers CA
database.
3. The certificate’s expiration date is still valid.
Not meeting correctly any of the above will produce an error indicated
by the browser. It is sometimes worthwhile to check manually the
above conditions.
1. See the certificate on a secure connection Left click on lock > View
Certificates > Detail
2. See trusted CA data base Left click on Tools > Internet Options >
Contents > Certificates > Trusted Root Certification Authorities
Last procedure is to confirm the digital signature. See following link.
http://en.wikipedia.org/wiki/File:Digital_Signature_diagram.svg
1. Message is hashed (encrypted to look like gibberish).
2. Using a private key the hashed data is encrypted to produce a digital
signature.
3. The hashed message with the encrypted signature is transmitted.
4. The receiver using the public key decrypts the encrypted signature
producing the original hashed data.
5. Receiver checks that the decrypted signatures hashed data is the
same as the received hash data .
5
4. Implementation
Public key is very slow in decryption so it is mainly used to provide
a. A symmetrical encryption key
b. Digital signature
Private key encryption is much faster for decryption and therefore is used
for text transmission.
Large amounts of text allow a hacker to finally figure out the plain text.
Tricks used are the frequency of letters or combination of them. Letters
most common are in the order of e ta o I n s h r d l u. The most common 3
letter word of course is “the”. Once the plaintext is deciphered the key has
been uncovered.
5. Credit Card and Security
Card fraud is present because of theft of physical card or the applicable
data.
Magnetic stripe card specifically used in US (Least Secure)
Magnetized data track 2 (Unencrypted)
• Name
• Card Number
• Expiration Date
• Customer Verification value CVV1 (To check if card is actually in
merchant’s hands)
Display on card
• Card Number
• Right most digit is checksum calculated to confirm integrity of
number (eg no mistake made when keyed in)
6
•
5
10
1
3
3
3
Luhn algorithm used
1
2
2
8
8
8
0
0
0
1
1
1
7
14
5
1
1
1
4
8
8
5
5
5
2
4
4
7
7
7
9
18
9
1
1
1
4
8
8
Y
Total=1+3+2+8+0+1+5+1+8+5+4+7+9+1+8=63
Y= (sum times 9) mod 10 = (63x9) mod 10 = 567 mod 10= 7
• CVV2 (To check when card is not in merchant’s hands)
Authentication
• Via Signature
Protection
• Easily cloned when personal data available
Next generation in US is Chip and Signature
Globally use Chip and Pin (Most Secure)
6. Malware or Malicious Software
a. Virus
A virus is a program that embeds itself in another program. Upon
running of this program it infects other files in the computer. The virus
can do damage or just leaves a signature. Transmitting any infected
program to another computer will spread this virus.
b. Worm
A worm is a piece of malware software that is an independent program.
That is it doesn’t require being inside another program to exist and do
damage. It spreads to other computers without being transmitted by
the user of the initial infected cpu.
7
c. Trojan
Trojan programs are a type of virus that does operations unbeknown to
the user while running a useful program. An example would be to
monitor your keystrokes and thus access passwords.
d. Spyware
Spyware is installed software that contains undocumented functions.
This software usually calls home to inform on your activities. Sometimes
they are announced in adware and you get to run free application as
long as the spyware is allowed.
e. Vendors of Security Software
Symantec
McAfee
Avira
AVG
AVAST
7. Antivirus Software Check
EUROPEAN EXPERT GROUP FOR IT-SECURITY (EICAR)
http://www.eicar.org/86-0-Intended-use.html
Produced a test virus string which is detected by most virus scanners
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARDANTIVIRUS-TEST-FILE!$H+H*
It is also short and simple - in fact, it consists entirely of printable ASCII
characters, so that it can easily be created with a regular text editor. Any
anti-virus product that supports the EICAR test file should detect it in any
file providing that the file starts with the following 68 characters, and is
exactly 68 bytes long:
a. Copy and paste file in note pad
b. Save as file in notepad as virustest.html
c. What happens?
8
d. Check if there is a quarantine folder with a file there
e. Do the same with string: virus test
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARDANTIVIRUS-TEST-FILE!$H+H*
f. What happened?
8. Botnets-Internet threat of millions of captured computers
a. http://articles.cnn.com/2006-01-31/tech/furst_1_botnets-web-siteclick-fraud?_s=PM:TECH
b. DOS denial of service Blackmail sites by sending huge amount of traffic.
c. Click fraud. Sets up phony web site and shows large advertising traffic.
d. Shows up as a reputable seller as eg an ebay.
Rev D 10/21/14
9
Download