Lecture 29 - The University of Texas at Dallas

advertisement
Data and Applications Security
Developments and Directions
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Attacks to Databases
Emerging Security Technologies
Biometrics
Secure Voting Machines
April 15, 2011
Outline of the Unit
 1. Brute-force (or not) cracking of weak or default
usernames/passwords
 2. Privilege escalation
 3. Exploiting unused and unnecessary database services and
functionality
 4. Targeting unpatched database vulnerabilities
 5. Stolen backup (unencrypted) tapes
 6. SQL injection
 http://www.darkreading.com/security/encryption/211201064/index.ht
ml
Brute-force (or not) cracking of weak or
default usernames/passwords
 Older versions of Oracle and others database systems used well
known default passwords
 New versions have changed this practice and don’t allow database
systems to keep default passwords
 Even unique, non-default database passwords aren’t hacker-safe –
with Bruce Force attacks and password cracking tools
 Steer clear of default passwords, and institute tight password
management and regular change-ups.
Privilege Escalation
 There have been several insider attacks that came as a result of a
malicious user possessing more system privileges than he or she
should have had.
 Outside attackers sometimes have higher-level privileges by
compromising the operating system.
 Privilege escalation usually has more to do with misconfiguration: A
user is mistakenly granted more access and privileges on the
database or related applications than he actually needs to do his job.
 Sometimes an inside attacker (or an outsider who has taken over a
victim’s machine) can go from one application to the database, even
if he doesn't have database credentials.
 Solution: Give users only the access and rights they need on the
database, nothing more
Exploiting unused and unnecessary database
services and functionality
 One of the first things an outside attacker will look for is whether his
potential victim is running the Listener feature on its Oracle
database. Listener seeks out and forwards network connections to
the Oracle database, and thus can expose users and database links.
 Via Google, an attacker can search and find exposed Listener
services on databases.
 Other features, such as hooks between operating systems and the
database, can leave the database exposed to an attack. Such a hook
can become a communications link to the database.
 Often, database administrators run too many services and services
may be open up to vulnerabilities
 Solution: Install only the database features you need.
Targeting unpatched database vulnerabilities
 Oracle and other database vendors patch their vulnerabilities.
However difficult for organizations to keep up with the patches
 Database vendors are careful not to disclose many details about the
vulnerabilities and their patches fix so that attackers are not notified
 Some hacker sites post exploit scripts for known database
vulnerabilities
 Solution: Organizations must be vigilant about installing patches in
a timely manner.
Stolen backup (unencrypted) tapes
 If the database data on the stolen are not encrypted and the tapes
get into the wrong hands then there is a huge problem
 But this type of attack is more likely to occur with an insider selling
the media to an attacker.
 Solution: Encrypt the critical data. Use a safe for sensitive database
tapes
SQL Injection
 SQL injection attacks occur where the fields available for user input
let SQL statements through to query the database directly.
 Outside of the client, Web applications typically are the weakest link.
In some cases, if the attacker gets a screen on the application for
username and password, all he has to do is provide a SQL statement
or database command and that goes directly to the database
 If the application does not examine the content of the logon. “The
problem is that the authentication and authorization has been moved
to the application server.
 Now instead of a user name, it is a SQL command put into a packet
and sent by the application server to the database.
 The database reads the SQL command, and it could shut down a
database altogether
SQL Injection
 Solution is to look at the content the user is providing.
 SQL injection attacks can occur both from the Web application to the
database, and from within the database itself.
 There are some programming practices that help prevent SQL
injection flaws in applications, such as using what are called “bind
variables,” or parameters for queries.
 In languages such as Java, that means using question marks as
placeholders in the SQL statement and binding the “received”
values to those placeholders
 Another practice is to avoid displaying certain database error
messages to avoid giving away potentially sensitive information to a
would-be attacker
SQL Injection
 Conasier ing a very simple web application that processes customer
orders. Suppose Acme Widgets has a simple page for existing
customers where they simply enter their customer number to
retrieve all of their current order information. The page itself might
be a basic HTML form that contains a textbox called
CustomerNumber and a submit button. When the form is submitted,
the following SQL query is executed:
SELECT *
FROM Orders
WHERE CustomerNumber = CustomerNumber
The results of this query are then displayed on the results page.
During a normal customer inquiry, this form works quite well.
SQL Injection
 Suppose John visits the page and enters his customer ID (14). The
following query would retrieve his results:
SELECT *
FROM Orders
WHERE CustomerNumber = 14
However, the same code can be a dangerous weapon in the hands of
a malicious user. Imagine that Mal comes along and enters the
following data in the CustomerNumber field: “14; DROP TABLE
Orders”. This would cause the following query to execute:
SELECT *
FROM Orders
WHERE CustomerNumber = 14; DROP TABLE Orders
SQL Injection
Solutions: Implement parameter checking on all applications. For
example, if you’re asking someone to enter a customer number,
make sure the input is numeric before executing the query. You may
wish to go a step further and perform additional checks to ensure
the customer number is the proper length, valid,
 Limit the permissions of the account that executes SQL queries. The
rule of least privilege applies. If the account used to execute the
query doesn’t have permission to drop tables, the table dropping will
not succeed!
 Use stored procedures (or similar techniques) to prevent users from
directly interacting with SQL code.
 As with many security principles, an ounce of prevention is worth a
pound of cure. Take the time to verify the code running on your
servers
Outline
 Digital Identity Management
 Identity Theft Management
 Digital Forensics
 Digital Watermarking
 Risk Analysis
 Economic Analysis
 Secure Electronic Voting Machines
 Biometrics
 Other Applications
 Lecture on Introduction to Biometrics
Digital Identity Management
 Digital identity is the identity that a user has to access an
electronic resource
 A person could have multiple identities
- A physician could have an identity to access medical
resources and another to access his bank accounts
 Digital identity management is about managing the multiple
identities
- Manage databases that store and retrieve identities
- Resolve conflicts and heterogeneity
- Make associations
- Provide security
 Ontology management for identity management is an
emerging research area
Digital Identity Management - II
 Federated Identity Management
- Corporations work with each other across organizational
boundaries with the concept of federated identity
- Each corporation has its own identity and may belong to
multiple federations
Individual identity management within an organization
and federated identity management across organizations
 Technologies for identity management
- Database management, data mining, ontology
management, federated computing
-
Identity Theft Management
 Need for secure identity management
- Ease the burden of managing numerous identities
- Prevent misuse of identity: preventing identity theft
 Identity theft is stealing another person’s digital identity
 Techniques for preventing identity thefts include
- Access control, Encryption, Digital Signatures
- A merchant encrypts the data and signs with the public
-
key of the recipient
Recipient decrypts with his private key
Digital Forensics
 Digital forensics is about the investigation of Cyber crime
 Follows the procedures established for Forensic medicine
 The steps include the following:
- When a computer crime occurs, law enforcement officials
-
who are cyber crime experts gather every piece of
evidence including information from the crime scene (i.e.
from the computer)
Gather profiles of terrorists
Use history information
Carry pout analysis
Digital Forensics - II
 Digital Forensics Techniques
- Intrusion detection
- Data Mining
- Analyzing log files
- Use criminal profiling and develop a psychological
profiling
- Analyze email messages
 Lawyers, Psychologists, Sociologists, Crime investigators
and Technologists have to worm together
 International Journal of Digital Evidence is a useful source
Steganography and Digital Watermarking
 Steganography is about hiding information within other
information
- E.g., hidden information is the message that terrorist may
be sending to their pees in different parts of the worlds
- Information may be hidden in valid texts, images, films
etc.
- Difficult to be detected by the unsuspecting human
 Steganalysis is about developing techniques that can analyze
text, images, video and detect hidden messages
- May use data mining techniques to detect hidden patters
 Steganograophy makes the task of the Cyber crime expert
difficult as he/she ahs to analyze for hidden information
- Communication protocols are being developed
Steganography and Digital Watermarking - II
 Digital water marking is about inserting information without
being detected for valid purposes
- It has applications in copyright protection
- A manufacturer may use digital watermarking to copyright
a particular music or video without being noticed
- When music is copies and copyright is violated, one can
detect two the real owner is by examining the copyright
embedded in the music or video
Risk Analysis
 Analyzing risks
- Before installing a secure system or a network one needs
to conduct a risk analysis study
- What are the threats? What are the risks?
 Various types of risk analysis methods
Quantitative approach: Events are ranked in the order of
risks and decisions are made based on then risks
Qualitative approach: estimates are used for risks
-
Economics Analysis
 Security vs Cost
- If risks are high and damage is significant then it may be
worth the cost of incorporating security
- If risks and damage are not high, then security may be an
additional cost burden
 Economists and technologists need to work together
- Develop cost models
- Cost vs. Risk/Threat study
Secure Electronic Voting Machines
 We are slowly migrating to electronic voting machines
 Current electronic machines have many security
vulnerabilities
 A person can log into the system multiple times from different
parts of the country and cast his/her vote
 Insufficient techniques for ensuring that a person can vote
only once
 The systems may be attacked and compromised
 Solutions are being developed
 Johns Hopkins University is one of the leaders in the field of
secure electronic voting machines
Biometrics
 Early Identication and Authentication (I&A) systems, were
based on passwords
 Recently physical characteristics of a person are being sued
for identification
- Fingerprinting
- Facial features
- Iris scans
- Blood circulation
- Facial expressions
 Biometrics techniques will provide access not only to
computers but also to building and homes
 Other Applications
Biometric Technologies
 Pattern recognition
 Machine learning
 Statistical reasoning
 Multimedia/Image processing and management
 Managing biometric databases
 Information retrieval
 Pattern matching
 Searching
 Ontology management
 Data mining
Data Mining for Biometrics
 Determine the data to be analyzed
- Data may be stored in biometric databases
- Data may be text, images, video, etc.
 Data may be grouped using classification techniques
 As new data arrives determine the group this data belongs to
- Pattern matching, Classification
 Determine what the new data is depending on the prior
examples and experiments
 Determine whether the new data is abnormal or normal
behavior
 Challenge: False positives, False negatives
Secure Biometrics
 Biometrics systems have to be secure
 Need to study the attacks for biometrics systems
 Facial features may be modified:
- E.g., One can access by inserting another person’s
features
Attacks on biometric databases is a major concern
 Challenge is to develop a secure biometric systems
-
Secure Biometrics - II
 Security policy for as biometric system
- Application specific and applicatyion independent
policies
- Security constraints
 Security model for a biometrics systems
Determine the operations to be performed
- Need to include both text, images and video/animation
 Architecure foe a biometric system
- Need to idenify securiy critical components
Reference monitor
 Detecting intrusions in a biometric system
-
-
Other Applications
 Email security
- Encryption
- Filtering
- Data mining
 Benchmarking
- Benchmarks for secure queries and transactions
 Simulation and performance studies
 Security for machine translation and text summarization
 Covert channel analysis
 Robotics security
- Need to ensure policies are enforced correctly when
operating robots
Introduction to Biometrics
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Introduction to Biometrics
Outline
 Introduction to Biometrics
- What is Biometrics?
- What is the Process?
- Why Biometrics?
 Biometrics Resources
 What is Secure Biometrics
 Revisiting Topics to be covered
 Some exploratory research areas
 Some useful reference books
What is Biometrics?
 Biometrics are automated methods of recognizing a person
based on a physiological or behavioral characteristic
 Features measured: Face, Fingerprints, Hand geometry,
handwriting, Iris, Retinal, Vein and Voice
 Identification and personal certification solutions for highly
secure applications
 Numerous applications: medical, financial, child care,
computer access etc.
What is the Process?
 Three-steps: Capture-Process-Verification
 Capture: A raw biometric is captured by a sensing device
such as fingerprint scanner or video camera
 Process: The distinguishing characteristics are extracted
from the raw biometrics sample and converted into a
processed biometric identifier record
Called biometric sample or template
 Verification and Identification
- Matching the enrolled biometric sample against a single
record; is the person really what he claims to be?
Matching a biometric sample against a database of
identifiers
-
Why Biometrics?
 Biometrics replaces Traditional Authentication Methods
 Provides better security
 More convenient
 Better accountability
 Applications on Fraud detection and Fraud deterrence
 Dual purpose
- Cyber Security and National Security
Why Biometrics? (Continued)
 Authentication mechanisms often used are User ID and
Passwords
 However password mechanisms have vulnerabilities
- Stealing passwords etc.
 Biometrics systems are less prone to attacks
 Need sophisticated techniques for attacks
- Cannot steal facial features and fingerprints
- Need sophisticated image processing techniques for
modifying facial features
Why Biometrics? (Continued)
 Biometrics systems are more convenient
 Need not have multiple passwords or difficult passwords
- E.g., characters, numbers and special symbols
- Need not remember passwords
 Need not carry any cards or tokens
 Better accountability
- Can determine who accessed the system with less
complexity
Why Biometrics? (Concluded)
 Dual Purpose
- Cyber Security and National Security
 Access to computer systems and networks
 Fraud detection
- Who has intruded the system?
- Who has entered the building
- Surveillance and monitoring
 Fraud Deterrence
- Because of biometrics systems, people are nervous to
-
commit crimes
Stealing from supermarkets and shops, etc.
Biometrics Resources
 Biometrics Consortium is the major resource
- www.biometrics.org
 Another Resource
- http://www.biometricsinfo.org/
 Has Information on
- Who is doing what
 Academia,
-
Industry and Government
White papers on Biometrics technologies
 Fingerprint detection, facial recognition, Iris scanning,
----
Biometrics Resources: What is academia doing?
 Michigan State University
- Developing algorithms for fingerprint detection, etc.
 West Virginia University
- Forensic identification initiative
 San Jose State University
- Mathematical concepts
Biometrics Resources: What is Industry doing?
 Focus is on building faster and cheaper devices
 More accuracy, less false positives and negatives
 Incorporating biometrics into mobile devices, Smartcards
 Biometrics in healthcare: delivering medication to correct
patients
 Biometrics in child care: Children are picked up by those
authorized
 Protecting digital content
- Ensuring that voice and video are not altered
Vendors: http://www.biometricsinfo.org/vendors.htm
Biometrics Resources: What is Government
doing?
 NSA (National Security Agency)
- Research on protecting critical information systems
 DoD (Department of Defense)
- Biometrics Management Office
- Provide Armed forces access to Biometrics systems for
combat operations
 INS/DHS (Department of Homeland Security; Immigration and
Nationalization Service)
- Biometrics technologies at Airports
 NIST (National Institute of Standards and Technologies)
Major player in Biometrics
-
Activities of NIST
 Measurements, Testing and Standards is NIST’s mission
 Focus on Biometrics Standards
 Activities
- Biometrics Consortium
- Common Biometric Exchange File Format
- Biometric Interoperability, Performance and Assurance
-
Working Group
BioAPI Consortium
Various Standards
Activities of NIST (Continued)
 Biometrics Consortium is the Government focal point for
research, development and testing of Biometric products and
technologies
 Common Biometric Exchange File Format is a product of the
consortium to develop common fingerprint template formats
 Biometrics Interoperability working group promotes common
definitions and concepts for exchanging information between
national and international partners
 BioAPI consortium develops common Application
Programming Interfaces for biometrics technologies
Activities of NIST (Concluded)
 NIST is developing standards for the following:
- Finger image format for data Interchange
- Face image format for data interchange
- Iris image format for data interchange
- Signature image format for data interchange
 NIST is working with International standards organizations for
joint standards
- ISO (International Standards Organization)
What is Secure Biometrics?
 Study the attacks of biometrics systems
- Modifying fingerprints
- Modifying facial features
 Develop a security policy and model for the system
- Application independent and Application specific policies
- Enforce Security constraints
 Entire
face is classified but the nose can be displayed
- Develop a formal model
- Formalize the policy
 Design the system and identify security critical components
- Reference monitor for biometrics systems
Security Vulnerabilities
 Type 1 attack: present fake biometric such a synthetic
biometric
 Type 2 attack: Submit a previously intercepted biometric data:
replay
 Type 3 attack: Compromising the feature extractor module to
give results desired by attacker
 Type 4 attack: Replace the genuine feature values produced
by the system by fake values desired by attacker
 Type 5 attack: Produce a high number of matching results
 Type 6 attack: Attack the template database: add templates,
modify templates etc.
Security and Privacy for Biometrics
 Privacy of the Individuals have to be protected
 CNN News Release: August 29, 2005
- Distorting Biometrics Enhances Security and Privacy
- Biometric data converted to numerical strings by
-
mathematical algorithm for later use
If the mathematical templates are stolen could be
dangerous
Researchers have developed method to alter the images
in a defined and repeated way
Hackers steal the distortion not the original face or
fingerprint
Secure Electronic Voting
Machines
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
References and Disclaimer
 Analysis of an Electronic Voting System
TADAYOSHI KOHNO ADAM STUBBLEFIELD AVIEL D. RUBIN
DAN S. WALLACH
IEEE Symposium on Security and Privacy 2004
 Security Analysis of the Diebold AccuVote-TS Voting Machine
Ariel J. Feldman, J. Alex Halderman, and Edward W. Felten
http://itpolicy.princeton.edu/voting.
 The views expressed in this presentation are obtained entirely
from the above two papers. Prof. Bhavani Thuraisingham has not
carried out any analysis of the electronic voting machine discussed
in this presentation.
Properties of a Good Voting System
 The anonymity of a voter’s ballot must be preserved, both to
guarantee the voter’s safety and to guarantee that voters have no
evidence that proves which candidates received their votes.
 The voting system must also be tamper-resistant to thwart a wide
range of attacks ( including ballot stuffing by voters and incorrect
tallying by insiders)
 “Butterfly ballots” in the Florida 2000 presidential election is the
importance of human factors.
 A voting system must be comprehensible to and usable by the
entire voting population, regardless of age, infirmity, or disability.
 Flaws in any of these aspects of a voting system can lead to
indecisive/incorrect election results.
Electronic Voting System
 As a result of the Florida 2000 presidential election the
inadequacies of widely-used punch card voting systems have
become well understood by the general population.
 This has led to increasingly widespread adoption of “direct
recording electronic” (DRE) voting systems.
 Voters go to their home precinct and prove that they are allowed to
vote there by presenting say an ID card. The voter is then typically
given a PIN, a smartcard, or some other token
 User then enters the token at a voting terminal and then votes
 When the voter’s selection is complete, DRE systems will typically
present a summary of the voter’s selections
 The ballot is “cast”
 The most fundamental problem with such a voting system is that
the entire election hinges on the correctness,
What is the problem?
 The problem with such a voting system is that the entire election
hinges on the correctness, robustness, and security of the
software within the voting terminal.
 Should that code have security relevant flaws, they might be
exploitable either by unscrupulous voters or by malicious insiders.
 If flaws are introduced into the voting system software then the
results of the election cannot be assured to accurately reflect the
votes legally cast by the voters.
A solution?
 A solution for securing electronic voting machines is to introduce a
“voter-verifiable audit trail”.
 A DRE system with a printer attachment, or even a traditional
optical scan system will satisfy this requirement by having a piece
of paper for voters to read and verify that their intent is correct
reflected.
 This paper is stored in ballot boxes and is considered to be the
primary record of a voter’s intent.
 If the printed paper has some kind of error, it is considered to be a
“spoiled ballot” and can be mechanically destroyed, giving the
voter the chance to vote again.
 The correctness of any voting software no longer matters; either a
voting terminal prints correct ballots or it is taken out of service.
 If there is any discrepancy in the vote tally, the paper ballots will be
available to be recounted
Certified Voting Systems and issues
 “CERTIFIED” DRE SYSTEMS. Many government entities have
adopted paperless DRE systems
 Such systems have been “certified” for use without any public
release of the analyses
 The CVS source code repository for Diebold’s AccuVote-TS DRE
voting system recently appeared on the Internet.
 Rubin et al discovered significant and wide-reaching security
vulnerabilities in their analysis of the AccuVote-TS voting terminal
 Voters can easily program their own smartcards to simulate the
behavior of valid smartcards used in the election.
 With such homebrew cards a voter can cast multiple ballots
without leaving any trace.
 A voter can also perform actions that normally require
administrative privileges (e.g. viewing partial results and
terminating the election early)
Certified Voting Systems and issues
 The protocols used when the voting terminals communicate with
their home base both to fetch election configuration information
and to report final election results do not use cryptographic
techniques to authenticate either end of the connection nor do they
check the integrity of the data in transit.
 Given that these voting terminals could potentially communicate
over insecure phone lines or even wireless Internet connections,
even unsophisticated attackers can perform untraceable “man-inthe-middle” attacks.
Certified Voting Systems and issues
 Rubin et al considered both the specific ways that the code uses
cryptographic techniques and the general software engineering quality of its
construction.
 They state neither provides them with any confidence of the system’s
correctness.
 Cryptography, when used at all, is used incorrectly. In many places where
cryptography would seem obvious and necessary, none is used.
 No evidence of disciplined software engineering processes. Comments in the
code and the revision change logs indicate the engineers were aware of
some problems
 No evidence of any change-control process that might restrict a developer’s
ability to insert arbitrary patches to the code.
 Software is written entirely in C++. Rubin et al state when programming in a
language like C++, which is not type-safe, programmers must exercise tight
discipline to prevent their programs from being vulnerable to buffer overflow
attacks and other weaknesses.
What happened next?
 Following the release of our results, the state of Maryland hired
SAIC and RABA and the state of Ohio hired Compuware to
perform independent analyses of Diebold’s AccuVote-TS systems
 These analyses supported Rubin’s findings; also showed that
many of the issues raised and attacks identified still apply to more
recent versions of the AccuVote-TS system
 These analyses also identified security problems with the backend GEMS server.
Security Threats
 Smartcards
- Exploiting the lack of cryptography; Creating homebrew
smartcards; Casting multiple votes ; Accessing administrator
and poll worker functionality
 Election configurations and election data
- Tampering with the system configuration; Tampering with
ballot definitions; Impersonating legitimate voting terminals;
Key management and other cryptographic issues with the vote
and audit records; Tampering with election results and linking
voters with their votes; Audit logs ; Attacking the start of an
election
 Software engineering
Code legacy; Coding style; Coding process; Code
completeness and correctness
-
Rubin’s conclusions
 Using publicly available source code, they performed an analysis of the April
2002 snapshot of Diebold’s AccuVote-TS electronic voting system.
 They found significant security flaws: voters can trivially cast multiple ballots
with no built-in traceability, administrative functions can be performed by
regular voters, and the threats posed by insiders such as poll workers,
software developers, and janitors is even greater
 Based on the analysis of the development environment, including change
logs and comments, they believe that an appropriate level of programming
discipline for a project was not maintained.
 There is little difference in the way code is developed for voting machines
relative to other commercial endeavors.
 They believe that an open process would result in more careful development
as more scientists and software engineers would solve problems.
 Need to use appropriate encryptions and security models
Analysis of Feldman et al
 Malicious software running on a single voting machine can steal
votes with little if any risk of detection.
 The malicious software can modify all of the records, audit logs, and
counters kept by the voting machine, so that even careful forensic
examination of these records will find nothing amiss.
 The authors have constructed demonstration software that carries
out this vote-stealing attack.
 Anyone who has physical access to a voting machine, or to a
memory card that will later be inserted into a machine, can install
said malicious software using a simple method that takes as little as
one minute.
 In practice, poll workers and others often have unsupervised access
to the machines.
Analysis of Feldman et al
 AccuVote-TS machines are susceptible to voting-machine viruses;
computer viruses that can spread malicious software automatically
and invisibly from machine to machine during normal pre- and post
election activity.
 Authors have constructed a demonstration virus that spreads in this
way, installing their demonstration vote-stealing program on every
machine it infects.
 While some of these problems can be eliminated by improving
Diebold’s software, others cannot be remedied without replacing the
machines’ hardware.
 Changes to election procedures would also be required to ensure
security.
Download