Transcript Introduction Part 1 - University of Windsor

Security and Privacy on the
Internet
A course on Internet Security
“Security is a process. It is a journey.”
--Bruce Schneier
1
Security and Privacy on the Internet
PREFERRED BACKGROUND:






Internet Architecture, TCP/IP suite, POPs, NAPs,
RAs, Peering, GigaPOPs
Evolving Requirements and architecture of
Internet
Wireless and mobile protocols
Network Application Programming
Performance Measurement, tcpdump
The course: An introduction to the issues of
security in public distributed networks
2
Security and Privacy on the Internet






Security Planning, Policies and procedures;
Threats and Strategies; digital rights
security services and mechanisms
Encryption methods and Secure Protocols,
DES, AES; Public Key algorithms; VPN
Internet sniffing and scanning tools
Intrusion Detection, Intrusion Analysis and
tools
General topics: Viruses and enterprise anti-virus tools;
other applications like digital cash, code signing and anonymous
e-mail
3
Grading Scheme
60-564

Project I
Survey of Area
Class Test
Final Exam
Assignments

For 60-467, instead of the Survey, it would be Project II.




15%
20%
20 %
30%
15%
60-467
15%
15%*
20%
35%
15%
4
Why should we study Internet Security?:
Practical ( Mundane) Reasons
5
Examples:
those, who hold the keys to the Kingdom:

Jim Allchin, Microsoft's Windows chief said in
Oct 2005,” I'd already been through lots of
days of personal training on the tools that are
used to do hacking.“


Researcher Dan Kaminsky found him to be quite
knowledgeable about Hashing.
Researcher Matt Conover, while talking about
a fairly obscure type of problem called a
"heap overflow”, asked the audience, made
up mostly of vice presidents, whether they
knew about this type of issue, 18 of 20 hands
went up. (Blue Hat Conference at Redmond in Oct 2005)
6
A news-item


Privacy commissioner slaps Bell
over traffic management
Jennifer Stoddart rules that Bell could
better explain what it's doing with deep
packet inspection, the technology it
uses to slow traffic of bandwidth hogs
Reference: Network World Canada (03 Sep 2009)

7
Two news-items



“The industry showed a significant level of
dissatisfaction in the ability of companies to
hire information security workers.” --- from
the Information Technology Association of
America’s member survey of Sept 2003
Homeland security: allocating money in 2003
for research in Security at US University so
that more grads can become available for
jobs in security.
Social Networks
8


“Demand for IT security professionals is
approaching levels not seen since shortly after the
9/11 terrorist attacks five years ago.”
“Emergency Warning to Employers: Unless you
begin immediately to increase hiring and intensify
staff development in your security services and
products, you will probably not have sufficient
bench strength for a late 2007 crescendo in
demand..”
--Foote Partners LLC
http://www.footepartners.com/FooteNewsrelease_ITsecurityskills_070207.pdf
as of Sept 6, 2007
9
Estimates of Market for Security Products



IDC Estimates: Internet security market: expected to grow
exponentially
Yankee Estimate of market:

Host Intrusion Prevention products and services: $60
million in 2002.
Prediction: growth at a compound annual rate of 52.7 percent
to $520 million by 2007
 secure content delivery products and services: $302
million in 2002.
Prediction for 2007: $580 million.
Ironport: The Web messaging security market to
grow at about 25% annually. – Reference:
http://www.ironport.com/company/pp_trading_markets_01-042007.html as of Sept 06, 2007
10
Jobs in Security


"From what we've seen on our site, and from
what I've seen from the industry, security is
—not surprisingly— very much in demand …”
-- Nick Doty, Editorial Director of Techies.com
Average Salary: Security Analyst (Reference:
http://www.esj.com/Columns/article.asp?EditorialsID=28 )
Entry (less than 1 year of experience): US
$54,090
11
“….there will be more security breaches”,
says Schneier




As more of our infrastructure
moves online,
as more things, that someone might
want to access or steal, move
online …….
As our networking systems become
more complex …..
As our computers get more
powerful and more useful…..
12
Why should we study Internet Security?:
13
Corporation is the network.
A company can compete in the global marketplace
only if it has a strong underpinning of reliable and
secure computing and communication infrastructure.
 A network.
Which Network ?
 The latest telephone network: Advanced Intelligent
Network
 The Internet: The Stupid Network*

*Ref: “ Rise of the Stupid Network”, David Isenberg,
1997, www.isen.com
14
Two laws and the User


Moore’s: Power of PCs (measured in MIPS)
increases an order of magnitude every 5
years.
Amdahl’s: A Mb of I/O capability is required
for every MIPS of processor performance.
But during 1980s and 90s
 User Accessible Bandwidth at WAN level
increased by an order of magnitude every 20
years.
15
Network-computing

Network-computing: Requirements for I/O
and communication speed grow at the same
rate.
Assume that
Communication speed requirement = 1/8(I/O capability)
Example:
processor power = 1000 MIPS
I/O requirement = 1000 Mbps
Communication requirement = 125 Mbps
Study of network architecture for providing secure and reliable
high performance, with the required QoS: an important area of
research.
16
Problem of Security



Higher the available compute-power,
‘easier’ it is to hack a system.
The network bandwidth of WANs
increases at a rate much lower than the
rate of increase of the available
compute-power.
The amount of data being sent cannot
be increased through padding.
17
Let us begin……….
18
Introduction: Security

RFC 1244, Site Security Handbook, by
Holbrook, Reynold, et al.
Common sense: the most appropriate tool
that can be used to establish your security
policy.
Elaborate security schemes and mechanisms:
useful only if the simple controls are NOT
forgotten.
Knowledge  Confidence  “flowering” or
“non-blocking” of Common-sense
19
Security planning


“We want to find a program that "fixes" the network
security problem. Few of us want to write a paper on
network security policies and procedures.”
Physical Security for network equipment and cables
 against natural disasters like fire and
 against mis-behavior by internal authorized users
is, in fact more important than the threats through
networks.
20
Security planning
(contd)
Components of security planning:
Step 1: assessing the threat,

Step 2: writing a security policy: a
statement of what is allowed and what is
not allowed; assigning security
responsibilities.

Step 3: Choosing the mechanism, tools
and methodologies to implement the
policy
Let us begin with step 2.

21
Security Policy
Two Important Components:
1.Decentralized Control and
2.Clear Definition of Roles and Responsibilities

Distributed Control through Subnets: The subnet
administrator and the system administrator
responsible for their system security.
The subnet administrator allocates IP
addresses and knows his users.
22
Security Policy: Clear definitions

A network security policy should define:

The network user's security responsibilities

The policy may require users



to change their passwords at certain intervals,
to use passwords that meet certain guidelines,
to perform certain checks to see if their accounts have
been accessed by someone else.
Whatever is expected from users, it is important
that it be clearly defined.
23
Security Policy
(contd)
The system administrator's security
responsibilities:

The policy may require that

every host use




specific security measures,
login banner messages, and
monitoring and accounting procedures.
certain applications should not be run on
any host attached to the network.
24
Security Policy

(contd)
The proper use of network resources
 Define
who can use network resources,
 what things they can do, and
 what things they should not do.
If users’ email, files, and histories of computer
activity are subject to security monitoring, the
users must be very clearly informed about the
policy.


25
Security Policy

(contd)
The actions taken when a security problem is
detected


What should be done when a security problem is
detected?
Prepare a detailed list of the exact steps that a
system administrator, or user, should take when a
security breach has been detected.
Example: A user may be required to "touch nothing, and
call the network security officer."


Who should be notified?
Prepare a disaster recovery plan so that when
the worst does happen, you can recover from
it with the minimum possible disruption. 26
Reference
RFC 1281: A Guideline for the Secure Operation
of the Internet


provides guidance for users and network
administrators on how to use the Internet in
a secure and responsible manner.
useful for preparing the security policy for an
organization.
27
A detour
A little history of an ancient art:
The first printed book on cryptology
Johannes Trithemius, an abbot in Spanheim :
One of the founders of cryptology

The first printed book of cryptology: titled
“Polygraphiae Libri Sex “ in German language
in 1518 by Johannes Trithemius, published
after the death of the writer.
(The title means -Six Books of Polygraphy)
28
A little history (continued)
Earlier in 1499 he had written a 3-book
“Steganographia”, (meaning covered writing):




which was circulated privately
was published in 1606.
The first two books: about cryptology.
But the third book could not be understood,
without understanding the encoding that he
had used.
29
A little history (continued):
A challenge for a cryptanalyst

In the third book, which was considered to be
incomplete, Trithemius explained why he had made it
hard to understand:
“This I did that to men of learning and men
deeply engaged in magic, it might, by the
Grace of God, be in some degree intelligible,
while on the other hand, to the thick skinned
turnip-eaters it might for all time remain a
hidden secret, and be to their dull intellects a
sealed book forever.”
30
“Ban, what you don’t understand.”



The third book: banned in 1609, ostensibly
because it explained how to employ spirits for
sending secret messages.
The challenge - of deciphering the book: met by
three persons in 500 years
1676:Wolfgang Heidel, the archbishop of
Mainz, Germany, claimed to have deciphered
the third book of Trithemius.
But his discovery was stated in a secret code
of his own. So nobody knew whether Heidel
had understood the book.
31
A little history:
Deciphering the third book of Trithemius
1996:Thomas Ernst, Prof of German at La Roche
College, Pittsburgh published a 200-page Germanlanguage report in a small Dutch journal, Daphnis.
 WIDELY KNOWN SOLUTION: spring 1998: Jim
Reeds of AT & T labs solved the riddle of
understanding the third book independently.
He did not know of the earlier work of Ernst.
Trithemius work: basically simple: Ernst took two weeks
and Reeds took two days to understand it.
Both Ernst and Reeds, separately, deciphered Heidel’s
work and found that Heidel had been able to
decipher Trithemius’ third book.

32
References: The Trithemius riddle
Reference:1. Thomas (Penn) Leary,” Cryptology in the
16th and 17th Centuries”, Cryptologia, July 1996,
available at http://home.att.net/~tleary/cryptolo.htm
2. http://www.postgazette.com/healthscience/19980629bspirit1.asp
3. Gina Kolata, ”A Mystery Unraveled, Twice”, The New
York Times, April 14, 1998, pp. F1, F6, available at
http://cryptome.unicast.org/cryptome022401/tricrack.htm
33
A challenge for the future:


At 35th birthday of MIT’s Lab for Computer Science:
A time capsule of innovations has been sealed in the
new building of LCS. It contains a cryptological
problem, which may be solved in 35 years on
computers,(by 2033), which may be replaced every
year to get higher computing power.
If you find an algorithm, which solves it
earlier, you can send it to the Director, LCS.
If correct, a special ceremony to unseal the
capsule will be set up.
Reference:http://theory.lcs.mit.edu/~rivest/lcs35puzzle-description.txt
getting back from the detour ….
34
Step 3
Components of security planning

Step 1: assessing the threat
Step 2: writing a security policy (already

Step 3: Choosing

discussed)
the methodologies,
 tools and
 mechanisms

to implement the policy
35
Methodologies


Security Procedures: to implement the
policy
Goals of security Procedures:




Prevention
Detection: nature, severity of attack and
effects
Recovery and fixing vulnerabilities
Counterattack or legal recourse
36
Procedures



Usually a procedure implements one
part of the policy.
A union of procedures is supposed to
provide “precise” security.
Types of procedures:



Secure
Precise or
Broad
37
Types of Procedures
P: set of all possible states of the system
 S: set of secure states, as defined by the
policy
 M:set of states to which the system is
constrained by Security procedures
The system is




Secure if M is contained within S;
Precise if M = S;
Broad if there are states in P which are contained
in M but which are not contained in S.
38
Procedural and Operational Security



policies and education on safe
computing practices
desktop configuration management
proactive probing for vulnerabilities
Each procedure may be designed to take
care of a (or a set of) threats.
39

New Threats arise and old threats
change


As the use of Internet changes and
as new technologies are implemented
Some Threats
to a networked system
40
Security Threats

RFC 1244 identifies three distinct types of
security threats associated with network
connectivity:

Unauthorized access

A break-in by an unauthorized person.
Break-ins may be an embarrassment that
undermine the confidence that others have in
the organization.
Moreover unauthorized access  one of the
other threats:-- disclosure of information or
--denial of service.
41
Classification of Security Threats
Reference: RFC 1244

Disclosure of information


disclosure of valuable or sensitive information to people,
who should not have access to the information.
Denial of service

Any problem that makes it difficult or impossible for the
system to continue to perform productive work.
Do not connect to Internet:


a system with highly classified information, or,
if the risk of liability in case of disclosure is
great.
42
Brent Chapman’s
Three Categories of Security Threats
Brent Chapman’s Classification:

Confidentiality




Of data
Of existence of data
Of resources, their operating systems, their
configuration
Of resources used, in case the resources are
taken on rent from a service provider
43
Information Security Threats
Chapman’s Classification (contd.)

availability: A DoS attack may disrupt



availability of a service, or
availability of data
integrity
Of data
 Of origin:
Once someone has gained unauthorized access
to a system, the integrity of the information on
that system is in doubt.

44
In the face of threats
A secure system
Features of a secure system:
 A system which is able to maintain
confidentiality of data;
 A system which is able to maintain
integrity of data;
 A system, which is available, whenever
the user require it
45
“We're in the midst of a huge society-wide change
to move record keeping from paper systems to
digital ones. In consequence, a vast number of
existing rules can and should be rethought and
revised. No better time than now, and no one
better to do it than we.”
-- Marc Donner, Google
“New Models for Old”
IEEE Security & Privacy, Aug/Sept 2009
46
Threats for the Internet/ISP





propagate false routing entries (“black holes”)
domain name hijacking
link flooding
packet intercept
Phishing attacks: use e-mails that often
appear to come from a legitimate e-mail
address and include links to spoofed Web
addresses. The receiver responds to the link,
which takes the receiver to a site, other than
what the receiver thinks he is going to.
(announced by MS on 16 Dec 2003, as a
problem with Internet Explorer).
47
Types of Security Threats: Additions
•
•
•
Denial of service
Illegitimate use
(Mis)-Authentication
•
•
•
•
•
IP spoofing
Sniffing the password
Playback Attack
Bucket-brigade attack ( when Eve substitutes her
own public key for the public key of Bob in a
message being sent by Bob to Alice)
Generic threats: Backdoors, Trojan horses,
viruses etc
48
Example of a Security Incident:
Phishing
Phishing (mis)uses the following rule:
If ASCII 00 and 01 characters are used just
prior to @ character, IE would not display the
rest of the URL.
Example:
http://www.whitehouse.gov%01%00@www.
hacker.com/......
will show up as http://www.whitehouse.gov in
the status bar, indicating as if the message is
from the White House. However the
response will go to the Hacker.
49
Anti-Phishing.org



A Web site www.antiphishing.org, for reporting
incidents,
set up by a group of global banks and technology
companies, led by Secure-messaging firm
Tumbleweed Communications Corp
Fast Response required;
The phishing Web sites: often only in place for a day.
Example: Dec 2003: Phishing e-mail appeared to
come from the U.K. bank NatWest.
Anti-Phishing.org tracked the IP address to a spoofed
home computer in San Francisco. "The owner of the
computer probably had no idea he'd been hijacked,"
says Dave Jevans, Tumbleweed's senior vice
president of marketing.
50
Common attacks on banks
through Internet
Common attacks:
 phishing (attempts to trick account holders to give
their account authentication details away),
 fraudulent association with the bank as part of
investment scams, and
 trademark violation
Losses due to attacks:
"The major banks don't want to divulge the amount of
losses. But just to give one example, a major
Australian bank has put several million dollars in
reserve since August 2003 to cover damages due to
Internet frauds.“– Dave Jevans, eWeek, Dec 2003
51
An Example:
time-to-market for Internet Security products


16 December, 2003: Discovery of the
problem of Phishing
5 January 2004: Announcement of
development of a new Anti-phishing
service by Netcraft, of Bath, England.
Netcraft says that the service is mainly for
banks and other financial organizations
52
The Netcraft Service

to detect use of their
name,
 brands,
 trademarks and
 slogans on the Internet by any
unauthorized party.




to facilitate quick removal of attempts at "phishing"
attacks.
to provide details of the site registration and hosting
locations of potentially offending sites,
to classify the severity of the incident
53
The Netcraft Service (continued)
The service will
 include real-time monitoring of spam for domains,
brands and company names.
 monitor




DNS registrations and
SSL (Secure Sockets Layer) certificate common names.
Netcraft: known for conducting monthly surveys
since 1995
http://news.netcraft.com/
Its database: has hostname & domain names for
over 58 million web sites, and the front page content
54
Netcraft Surveys

Data on the market share of
 web servers,
 operating systems,
 hosting providers (hosting locations of the million
busiest web-sites): Largest Hosters: GoDaddy 20
M, ThePlanet: 15 M; Microsoft: 9M; Google: 8 M;
myspace: 6M
 ISPs,
 encrypted transactions,
 electronic commerce (SSL sites (1996: 3283 sites;
2009: exceeded 600,000))
 scripting languages and
 content technologies on the internet
55
Terminology of Hacking
A few more words






Snooping (also called passive wire-tapping)
Active wire-tapping or man-in-the middle
attack
Spoofing or Masquerading of a host or a
service-provider (Distinguish it from
Delegation)
Repudiation of origin or of creation of some
file
Denial of receipt
Usurpation: unauthorized control
56