Access Security - Carnegie Mellon University

Download Report

Transcript Access Security - Carnegie Mellon University

Access Security
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Outline
• Are web systems safe?
• Authentication
– Passwords
– Biometrics
• Network protection
– Firewalls, proxy servers
– Denial of service attacks
– Viruses
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Web Security
• Client Side
– What can the server do to the client?
• Fool it
• Install or run unauthorized software, inspect/alter files
• Server Side
– What can the client do to the server?
• Bring it down (denial of service)
• Gain access (break-in)
• Network
– Is anyone listening? (Sniffing)
– Is the information genuine? Are the parties genuine?
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Internet Sniffing
SOURCE: CERT
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Methods of User Authentication
• Something you know . . .
– Password, PIN, “mother’s maiden name”
“1059”
• Something you have . . .
– Physical key, token, magnetic card,
smartcard
• Something you are . . .
– Finger print, voice, retina, iris
• Someplace you are
– GPS information
• Best to use two or more of the above
SOURCE: SECURITY DYNAMICS
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Biometrics
• Use of an unalterable body part or feature to provide
identification
• History
– For 1,000,000 years we couldn’t identify people
– France used tattoos; abolished in 1832
– Uniqueness of fingerprints 1890
• Verification v. identification
• Weaknesses:
– Forgery
– Replay attack
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Fingerprints
MAIN SHAPES:
ARCH
LOOP
WHORL
MINUTIAE:
END
BIFURCATION
ISLAND
LAKE
DOT
EACH PERSON HAS A UNIQUE
ARRANGEMENT OF MINUTIAE:
SOURCE: C3i
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Fingerprint Capture
ST-Micro TOUCHCHIP
(Capacitative)
American Biometric Company
BioMouse (Optical)
Thompson-CSF FingerChip
(Thermal-sensed swipe)
DEMO1, DEMO2
Biometric Partners
Touchless Sensor
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Iris Scan
• Human iris patterns encode ~3.4 bits per sq. mm
• Can be stored in 512 bytes
• Patterns do not change after 1 year of life
• Patterns of identical twins are uncorrelated
• Chance of duplication < 1 in 1078
• Identification speed: 2 sec. per 100,000 people
PERSONAL IRIS IMAGER
Companies: British Telecom, Iriscan, Sensar
SOURCE: IRISCAN
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Signature Dynamics
• Examines formation of signature, not final appearance
• DSV (Dynamic signature verification)
• Parameters
• Total time
• Sign changes in x-y velocities
and accelerations
• Pen-up time
• Total path length
• Sampling 100 times/second
Companies: CyberSIgn, Quintet,
PenOp, SoftPro SignPlus,
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Network Security
REMOVABLE
MEDIA
REMOTE
LOCATION
USER
MODEM +
TELEPHONE
RADIO
EMISSIONS
LOCAL AREA
NETWORK
“BACKDOOR”
INTERNET
CONNECTION
ISP
INTERNET
CONNECTION
REMOTE
USER
VENDORS AND
SUBCONTRACTORS
SOURCE: CERT
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Sophistication v. Intruder Knowledge
SOURCE: CERT
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Firewall Architecture
SOURCE: CHAPMAN, BUILDING INTERNET FIREWALLS
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Network Attacks
SOURCE: CERT
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Firewall
• A device placed between two networks or machines
– All traffic in and out must pass through the firewall
– Only authorized traffic is allowed to pass
– The firewall itself is immune to penetration
Company Network
Firewall
Internet
SOURCE: ADAM COLDWELL
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Proxy Server
SOURCE: CHAPMAN, BUILDING INTERNET FIREWALLS
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Distributed Denial of Service Attack
INTRUDER
INTRUDER SENDS
COMMANDS TO
HANDLERS
VICTIM
SOURCE: CERT
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
DDOS Attack
SOURCE: CERT
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
DDOS Attack
SOURCE: CERT
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Denial-of-Service Attacks
• Attack to disable a machine (server) by making it
unable to respond to requests
• Use up resources
– Bandwidth, swap space, RAM, hard disk
• FBI DOS attack (June 1999) 600,000 service
requests per second
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Ping Flooding
Internet
Attacking System(s)
Victim System
SOURCE: PETER SHIPLEY
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Three-Way Handshake
SYN
SYN | ACK
ACK
Client
Server
1: Send SYN seq=x
2: Send SYN seq=y, ACK x+1
3: Send ACK y+1
SOURCE: PETER SHIPLEY
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
SMURF ATTACK
ICMP echo (spoofed source address of victim)
Sent to IP broadcast address
ICMP echo reply
ICMP = Internet Control
Message Protocol
INTERNET
1 SYN
PERPETRATOR
VICTIM
10,000 SYN/ACKs -- VICTIM IS DEAD
INNOCENT
REFLECTOR SITES
BANDWIDTH MULTIPLICATION:
A T1 (1.54 Mbps) can easily
yield 100 MBbps of attack
20-751 ECOMMERCE TECHNOLOGY
SOURCE: CISCO
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Code Attacks
• Virus
– executable code
– that attaches itself to other executable code
(infection)
– to reproduce itself (spread) replicator + concealer + payload
• Rabbit, Worm
– program that makes many copies of itself and spreads them.
Each copy makes copies, etc. Worm spreads via networks.
• Trojan Horse
– performs unauthorized activity while pretending to be
another program. Example: fake login program
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Viral Phenomena
• Invented ~1985
• More than 36,500 known viruses (NY Times, 6/10/99)
– More than in nature
•
•
•
•
10-15 new viruses per day
35% are destructive (up from 10% in 1993)
Virus attacks per computer doubles every two years
Written mostly by men 14-24
– India, New Zealand, Australia, U.S.
• Symantec employs 45 people full-time, spread over
24 hours, to detect and neutralize viruses
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Exploiting System Bugs
• Buffer overflows
– Program allocates 255 bytes for input.
– Hacker sends 500 bytes.
BUFFER (255 BYTES)
PROGRAM CODE
INPUT IS 500 BYTES LONG
BUFFER (255 BYTES)
PROGRAM CODE
245 BYTES ARE OVERWRITTEN WITH HACKER’S DATA
NOW HACKER’S CODE CAN BE EXECUTED
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Viral Phenomena
• Stealth capability
– Virus “hides” from detection. Installs memory-resident code.
– Intercepts file accesses. If attempt is made to access its disk
sector, substitutes “clean” data instead.
• Mutation
– Accidental. Virus gets changed (corrupted) by system
– Deliberate. Creator inserts program modification code.
“Self-garbling” - unscrambles itself before use
– Result: virus becomes hard to detect
• Virus toolkits
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Virus Detection
• Some virus families have common characteristics
– Presence or absence of particular strings
• Antiviral software
– Only detects what it know how to detect.
– Must be upgraded regularly for new viruses.
– Symantec encyclopedia
• File virus
– Compare size with known backup copy.
– Presence of strings, like “.EXE”
• Retrovirus
– Attacks or disables antivirus software
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Key Takeaways
• Evaluate all risks, even internal ones
• People do bizarre things when they think no one will
find out
• Security is for professionals
• Unexplored future in biometrics
• Proxies give only thin protection
• There is no current defense to DOS attacks
• There is no defense to new viruses
(except Java for a while)
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS
Q&A
20-751 ECOMMERCE TECHNOLOGY
SPRING 2002
COPYRIGHT © 2002 MICHAEL I. SHAMOS