Transcript File

ITGS
Security
Security Authentication
• Computer security
– The process of protecting hardware, software
and data from unauthorized access, while
allowing authorized users to perform their
work
• Authentication
– requires users to prove their identity so a
system knows they are genuine, authorized
users
• Something you know
– Passwords - must be chosen carefully so that they
can’t be easily guessed
Authentication
• Something you have
– Requires a user to have a physical object in order
to authenticate
• Security token - using a physical object to enter a system
• Multifactor authentication - since security tokens can be
stolen, another form of authentication in addition to them
is used
• Something about you
– Biometrics
• Using a part of a person’s body to identify them
– Fingerprints, iris patterns, face shape , voice pattern
– Biometrics are unique for each user
» Not 100% accurate; a biometric system must attempt
to make a good match rather than an exact match with
the stored biometric data ( always a margin of error)
Biometric authentication
» False negative - when the system fails to
recognize an authorized user, and he/she must
begin the authentication again
» False positive-when an unauthorized user is
mistakenly allowed access because the system
mistakes their data for that of an authorized user
• Something you know
– Passwords
• Computers do not store passwords as plain text
– A one-way function is used to generate a
cryptographic hash of a password
» It is not possible to retrieve the original password
from the hash, making it safe to store the hash.
» When the user logs in, another hash is generated
and is compared to the original hash value; if the
two match, the user is authenticated
» The password itself is never stored, nor is it sent
across a network
Cryptographic Hash
Passwords
•Not all websites use the cryptographic hash
method to store passwords securely
•If a website or system is able to send you a
reminder of your password, it means it is
stored in a way accessible to the system
administrators
•If the forgotten password function sends
you a new password, the system
administrators don’t have access to your
old password (cryptographic hash)
•Biometric enrollment
•Collecting biometric samples from users
along with their identities
Passwords
•Example: fingerprints
•The computer analyzes the
fingerprints, looking for the key
features and measurements
•It produces a biometric template
containing these values
•This template is stored for future
use
•When the user tries to authenticate,
another biometric sample is taken
and used to produce a biometric
template
Access privileges
•The new template is compared with the old,
and if they match, its authenticated
•Most system administrators don’t want all
authenticated users to have the same access
privileges
•Most operating systems provide a way to
grant access privileges to individuals or
groups of users
•A series of rights can be assigned:
•The ability to read (view), write (modify)
and delete material
Hacking
• These rights can be done on individual files,
folders, drives and resources like printers
• Each user is assigned his own home directory
• The system administrator’s account has full
access to all items
• Hacking
– Gaining unauthorized access to computer
systems
• A hacker exploits weaknesses in the target
system’s security
• Once the hacker has compromised the system,
information is usually stolen
Hacking
• Social engineering
– Tricking people into giving away passwords
• Software tools for hacking:
– Packet sniffer - a program that captures data as it
travels over networks
• Legitimate use: helping diagnose network problems
– Key loggers - plug into computer between
keyboard and keyboard port
• Key loggers run in the background, silently recording
keys pressed
• Can be detected by anti-virus software
– Password cracker - program designed to guess
passwords
• Dictionary attack - they try every word in a list of known
English words until the password is found
Hacking
• Brute force method - try every single
combination of characters until the right word
is guessed
– Brute force is slow at 10 million passwords
per second, it would take years to guess a
long password
– END OF MONDAY’S NOTES
Hacking
• Preventing the use of password
cracking tools
– Limiting the number of times a user can try to log
in before temporarily locking the account
– Small delay between login attempts
• OS Fingerprinting tools
– Used to give more information about a target
system, such as versions of OS and webserver
software
• The hacker can them investigate possible flaws
Security Updates
• Software vendors frequently release patches
for their system
– Downloading and applying these updates is
important because new vulnerabilities are
constantly being found
• Vulnerability scanner tools
– Used by hackers to test a system for
vulnerabilities which have not been patched, so
they can exploit them
Hacking in action
• Zero day exploit
– When hackers target a company using vulnerable
security, acting on a newly reported and unfixed
vulnerability
• Malicious software
– Viruses
• Malicious programs designed to replicate themselves and
cause damage to computer systems
– Viruses usually attach to other programs or email
attachments, and are triggered when a user opens the
program or attachment
– When the virus spreads, at a given point, such as a certain
date, viruses trigger their “payload”, which might be deleting
or overwriting files or even wiping the hard disk
Macro viruses
• Macro virus – Written using the macro programming languages
designed in automated tasks in some software,
such as word processors, spreadsheets and
databases
• They can be configured to run automatically when a
document is opened and quickly infect computers
– Worms - similar to viruses, but sread without any
user interaction
• Example: a user opens a worm infected email attachment the worm might immediately copy itself to other machines
on the network or automatically forward to everyone in the
user’s address book
• Worms consume large amounts of bandwidth as they
propagate
Malicious software
• Trojan horses
– Rely on tricking the user into downloading and running them,
instead of spreading on their own
• They pretend to perform a useful task (pose as a game or even
antivirus software)
• Once run, they deliver their payload, which is often spyware,
turning the infected machine into a botnet.
• Spyware
– A form of malware which monitors the user’s activities
without their knowledge or permission
• Serves them with advertisements targeted to their behavior
• More sinister, such a stealing personal files or using a key logger
to gauge passwords, usernames and credit card numbers
– It is even possible to record the user’s screen
• Rootkits
– A particularly hard to remove form of malware that generally
infects a machine as the administrator (root) user
Malicious software
– Rootkits hide their identity from the user and the OS and alter it
– Difficult to detect
– Usually can only be removed by installing a fresh operating system
• Backdoor infections - malware that is operated by an
unauthorized remote user is becoming more common
– A computer infected in this way is called a zombie
– Botnets - when criminal computer gangs control hundreds or
thousands of zombies at once
• They send out spam or phishing email, or distribute malicious software
• DDOS attacks - bombarding a computer system with so many requests
that it can’t keep up, becomes slow, or crashes
• Drive-by downloads
– Programs which are downloaded or installed automatically, without
the user’s consent, when he visits a webpage
• Usually either infect a system with malware or make money by tricking
the user into buying unnecessary security software
– JavaScript, ActiveX and Java - technologies that can be used to create
enhanced, interactive webpages, but also can be misused to deliver driveby
downloads
• END OF WEDNESDAY’S NOTES
Spam
•
Spam - unwanted messages that are sent to many users at once.
– Usually e-mail, but can also refer to phone text messages (SMS)
– Usually advertise products, many illegal or unregulated, such as prescription
drugs
• 419 Scams (also known as Nigerian Scams): scam messages which try to entice the
user into sending money
– Common spamming techniques:
» A subject line which seems personal
» Spam sent by a virus or worm may actually use the name of a sender you know
– Large amounts of spam also slow down email servers, consuming space and
bandwidth
– Employees in businesses waste valuable time dealing with spam - 7.3
minutes every week, adding up to $71 billion of lost productivity in the US
•
Spam bot - software that scans through thousands of web pages looking
for email addresses
– Searches through web pages for email addresses, HTML code, mailto tags,
and web forms filled in by users
•
Some companies exist with the sole purpose of collecting and selling
databases of email addresses
Spam filters
•
Spam filters
– Used by most email providers to reduce the amount of spam you have
• Organizations can install their own spam filters on an email server or client
computer
– SpamAssassin - an open source program
• Use Bayesian filtering to examine email and determine how likely it is to be Spam,
based on the words it uses
• Monitor global spam email and make available the IP addresses or domain names of
spam sources
•
Many websites use CAPTCHAs or “scribble text” to prevent abuse by
automated spam bots
– CAPTCHAs create an image using distorted text, background noise, and
disorienting lines, designed to be impossible for a spam bot program to
decipher but easy for a human.
• Commonly used on websites to create accounts (especially email systems) to
prevent spammers writing software to automatically generate hundreds or
thousands of false accounts
•
Avoiding spam filters
– Spammers use various techniques to avoid the filters
• Embed a paragraph of text from a website or book into the spam email to fool the
Bayesian filters into thinking the message is genuine
– This works because the ‘normal’ text reduces the relative frequency of words associated
with spam
Avoiding Spam Filters
• Image spam
– Spammers try to avoid spam filters by including their message in an
image file instead of text
• Since spam filter’s can’t read or understand the text in an image,
such emails may be passed through
– Web bugs
• Links in spam messages to images stored on the spammer’s
server
– When you open the email with the web bug, the image is
fetched from the server, and your email address is
confirmed, encouraging the spammer to send you more
spam
» This can be avoided by switching off images in email
software
• Ways to avoid spam
– Use BCC (blind carbon copy) to protect others’ email
addresses
– Use disposable email addresses when using email on
sites that may cause problems
» Some web mail companies offer disposable
Phishing
• Phishing
– Impersonating a genuine organization in order to
fool the user into providing sensitive personal data
• Such emails usually contain a link to a web site which is
an exact copy of the original site, but is operated by
criminals
– Some phishing sites display an ‘incorrect password’
error after details are entered and direct users to the
real site, making you think you just made a typing
mistake
• Smishing - using text messages to commit
phishing attacks
• Vishing - using a phone call to commit a
phishing attack
– VoIP software allows inexpensive calls to be made,
even from overseas, and they are very hard to trace
Phishing
• Pharming
– Also known as DNS poisoning
• Another technique used by phishers to direct users to a
fake website when they enter the URL of a genuine site
– Criminals illegally access a DNS server and put the IP
address of their fake site in lace of the IP address of the real
site
– When the user enters the compromised domain name in their
browser, the DNS server returns the false IP address and
takes them to the fake site
– Identity theft
• Phishing is performed to commit identity theft - stealing
personal data to impersonate them
• ***Don’t use links to get to banks - type in the URL manually to
avoid phishing
Encryption
• Encryption - protects data from unauthorized
access when it is sent over an untrusted
network like the internet.
– Encryption uses encryption keys to transform a
plaintext message into a form that is not
understandable to anyone who reads it (ciphertext)
• Secret key encryption
– The same key is used for both encryption and decryption
» Symmetric or single key encryption
» The key must be kept secret
Encryption
• Public key encryption
– Asymmetric key encryption - uses a key pair:
• Public key is used only for encryption
• Private key - used only for decryption
– The keys work only when together
» Once a message is encrypted with public key, only
corresponding private key can decrypt it
– An encrypted connection to a web site is indicated
by https at the start of the URL
• This signifies SSL (secure socket layer) or TLS (Transport
Layer Security) encryption is being used
Digital signing
• Digital certificate - used to authenticate the
sender of a message
– Using a private key to digitally sign your message
to prove your identity
• Certificate authorities verify the owner of public keys and
issue digital certificates (key pairs) to organizations after
checking their identity
• END OF THURSDAY’S NOTES
Digital signing
• Certificate authority
– Responsible for issuing digital certificates (key
pairs) to organizations , after checking their
identity.
• Used by many online businesses to prove that they are
dealing with genuine businesses
• Encryption in Action
– Transport Layer Security (TLS) and Secure Socket
Layer (SSL)
• Standard encryption protocol used for secure web
communication
– TLS - used for logins to email providers and social networks,
and for online banking and shopping transactions
» An encrypted website will show the https protocol at the
start of the URL in the web browser.
Encryption
• Extended Validation SSL (EV SSL)
– A digital certificate system designed to verify the identity of
online organizations (Certificate authority)
• Wired Equivalent Privacy (WEP)
– An older encryption algorithm used by wireless networks
• It is superseded by Wi-Fi protected access (WPA) and WPA-2
– Encrypted protocols keep data safe as it is transmitted from
computers with wi-fi cards to wi-fi routers
• Encryption and hard disks
– Data stored on laptop computers and portable storage
devices is particularly vulnerable to loss or theft
– It’s easy to remove hard disks from computers and attach
them as a slave disk on another computer
• Full disk encryption - prevents hard disks from being stolen by
asking for a passphrase which is used to decrypt data from the
disk
Encryption
– The correct passphrase decrypts sectors in memory as they
are read from the disk
– As data is written to disk from memory, it is automatically
encrypted
• Encryption Ethics
– Strong encryption guarantees that no one without the key can
view the plaintext - not even the law
• Criminals know that they can encrypt their illegal data
– This leads to lack of evidence in criminal prosecutions
– Key escrow - an authorized authority has users’ encryption
keys, and reveals them to law enforcement if requested
• Wireless security
– Wireless networks are riskier than ethernet networks
• Wireless network data is vulnerable to interception because it is
broadcast through the air
– All wireless networks should be encrypted
» WPA2 is the best wireless encryption standard
Wireless security
• SSID (service set identifier)
– Possible to hide a wireless network’s name (SSID) to prevent
it from appearing in the list of networks shown by computers
• MAC address filtering - can be configured on most wireless
routers, and denies access to the wireless network from an
computers whose MAC addresses are not on a list
– To secure a router, change the default password
• Most of the routers from factories come with default usernames
– Lists of these default names can be found on the internet
• Physical security
– Preventing intruders from gaining access to a computer
system to steal it or compromise it