Transcript security

Security – 1h
The Internet – a global network
of networks
• Information travelling on the internet
– takes a circuitous route
– through several intermediate computers and
data links
– to reach any destination computer
• You have no control over the route your
information takes to reach its destination
• Offers possibilities for information to be
intercepted and corrupted
• Raises issues of security
The aims of computer security
• Prevention
– Prevent asset being damaged
• Detection
– Detect when an asset has been damaged
• Response
– Recover assets
– Repair damage to assets
– Inform others
Issues (1/2)
• Confidentiality: Unauthorised
disclosure of information
• Integrity: Prevent unauthorised
modification of information
• Availability: Prevent unauthorised
withholding of information
Issues (2/2)
• Authenticity: Are you what you say you
are ?
• Accountability: Can I be sure that the last
transaction was encrypted?
• Dependability: Will this always be the
case, or do you have a non-secure server
when the secure server is down?
Username and Password
• Password guessing
– Exhaustive search
– Intelligent search
• Password spoofing
– Log-in to a fake site (have you ever re-used a pwd?)
• Compromise of password file
– Illegal under the UK Data Protection Act
• What happens if an overseas call-centre starts selling your
passwords as well as your credit card data?
– Cryptography
Network solutions
• Password:
– Checkers - Search for weak passwords
– Generation - random but pronounceable
– Ageing - prevent last ten being reused
• Limit Log-in attempts
– Inform user of number of unsuccessful log-ins
• Levels of password
– Log-in/Log-out/Server/
– Access Database/Write Database
Cryptography Issues
Three functions of cryptography:
• Secure encryption and decryption of data
to prevent unauthorised access
• Verification that the data was sent by the
stated sender
• Validation that data was received
unaltered
Private-Key Encryption
• The same key is used for both encoding and
decoding
• Sending a message from A to B:
– A encodes a message with his/her private key
– A sends the message to B
– A must also send his/her private key to B (this is the
weakest link)
– B decodes A’s message with A’s private key
Private-Key Encryption
• Problem
– Key security: steal the key and the code can
be broken
– Every time the key is transferred there is risk
of it being intercepted
– The same key may be shared by too many
people
Public-Key Encryption
• Two keys are required: The two keys are different
but linked (Asymmetric key-pair)
– A public key
• Can be copied and given out freely
– A private key
• Retained by you only
• Could reside on your computer as a password-protected file
(message digest)
• Could be stored solely on your floppy disk (further security)
• People send you information encoded with your
public key that can only be decoded by you with
your private key (confidentiality)
Hash functions
• Produce fixed-length hash (~32 bits) from variable-length
message
– It is computationally infeasible to find a message with that
hash; in fact one can't determine any usable information about a
message with that hash, not even a single bit.
– Biometrics usually work the same way!
• A public one-way hash function can be used to speed up a
public-key digital signature system.
– Rather than sign a long message, which can take a long time,
compute the one-way hash of the message, and sign the hash.
• Passwords may be stored as hashes, so accessing the
password file does not compromise the users
Cryptography Issues
• Secure encryption and decryption of data
– Keys
• Verification that the data was sent by the
stated sender
– Digital Signature
• Validation that data was received
unaltered
– Comparison of message digests
Digital Certificates
• Attached to a public key to reassure
users that the public key they are
about to accept is authentic
• Given by a Certification Authority
(CA) e.g.Verisign
• Web browsers have a list of trusted
CA’s built into them
Digital Certificates
– Scenario
• A secure web page offers the web browser
a public key (as a digital certificate)
• Web browser then checks the key for
certification and the authority that certified it
Secure Sockets Layer SSL
• Secure Sockets Layer SSL (Netscape)
• Protocol used to transmit information
securely via the Internet
• Delivers
– Server authentication (check site digital
certificate)
– Message privacy (encryption of information
moving between browser and server and
unique session keys)
– Message integrity (compare message digests)
Firewalls
• Firewall
– any security system protecting the boundary of an internal
network (intranet, LAN)
• Functions
– Access control based on sender or receiver addresses
– Access control based on the service requested
– Hiding the internal network from the outside world (e.g.
topology, IP addresses)
– Virus checking on incoming files
– Authentication based on the source of traffic
– Logging of internet activities
• Mechanisms used
– Packet filtering
– Proxy servers
Proxy Servers
• A server located between a client (e.g. web
browser) and the server the client is trying to
contact
• Intercepts the client’s request and decides
whether it is permitted according to its security
rules
• The only entity seen by the outside world and
appears transparent to internal users
Hacking - DOS
• Denial of Service attacks
– Target: ISP
– Causes a service (e.g. web server or mail
server) to be unavailable or unusable
• e.g. send a stream of connection requests to the
server and deplete it of memory or reach the
server connection limit
– Consequences
• Refusal of further connection requests
• Poor performance
Hacking - Cracking Passwords
• Cracking Passwords – remote access
• Dictionary attack is trying to determine a
decryption key or pass-phrase by
searching a large number of possibilities
• Remote access to a user’s account allows
files to be copied or corrupted.
• Hacking used to be a game – now it is
done by criminals for theft.
Virus
• Virus
– A piece of self-replicating code attached to some
other piece of code, with a payload. Payload can
range from non-existent/harmless to harmful e.g.
deleting/modifying files
– Infects a program by inserting itself into the program
code
– Attacks
•
•
•
•
Executable program files
File-directory
Boot process (e.g. bootstrap virus use BIOS)
System
Trojan Horses
• Program which produces hidden sideeffects not intended by the user executing
the program e.g Melissa - a macro virus
which via Word attacked MS
Outlook/Express
• Can allow passwords and account details
to be accessed remotely.
Worms
• Self-replicating, but not infecting,
• Designed to attack networks (use active
network connections in order to
propagate)
• Can reduce server efficiency or crash the
server
• Can allow information to be accessed
remotely
Cookies
• Text file created by a site’s web server and
stored on your host machine by your web
browser
• An information packet sent from a server to a
browser and thereafter sent back by the
browser each time it access the server
• Creation of a user profile to improve user
experience of the web or invasion of privacy?
• Can be blocked (Browser settings)