SECURITYSECURITYChapter 15

CNS 3660

CrackersCrackers

"malicious computer users"

Varying intentions and abilities

What motivates people to break into computer systems?

Also: Does it matter what their motivations are?

MotivationMotivation

• a challenge

• notoriety

• ideological"cyber warfare"

• steal money

• free goods and services

• fun

Stopping crackersStopping crackers

• Back up important information

• Have hiring policies that attract honest and loyal staff

• Choose secure software and keep it up to date

• Train staff to identify weaknesses

• Use audits and logs to detect break-ins

"Most successful attacks on computer systems take advantage of well-known weaknesses such as easily guessed passwords, common misconfigurations, and old versions of software."

How important is your information?

How important is your information?

• Hobby user

• Business

• Bank

• Military

Why would crackers break into a hobby system?

"Even the computer with the least interesting data still has significant appeal as an anonymous launching pad for attacks on other systems."

Security ThreatsSecurity Threats

• Exposure of

confidential data

• Loss of data

• Repudiation

• Modification of

data

• Denial of service

• Errors in software

Exposure of confidential data

Exposure of confidential data

• Don't store secret info on web server– Info that is provided to the public– Info that has recently been collected from the

public

• Remove unnecessary services

• Design, configure, code and test carefully

• Require authentication

• Use encryptionMore on these two subjects later

Loss of dataLoss of dataBreak-ins, careless employees, hard drive crash

• Back up your data

Keep back ups away from your computer– Safe deposit boxes in two different cities– Source code, compiler, OS, etc.– Copy of thesis in seven different places (car,

freezer, etc.)

• Test your recovery procedure

Modification of dataModification of data

Prevent:

File permission facilities of OS

Encryption

Detect: can be difficult

Checksums

Store off-line

Recover:

Logs and back-ups

Denial of service (DoS)Denial of service (DoS)

someone's actions make it difficult or impossible to users to access a service

Year 2000 attacks on eBay, Amazon, Yahoo!, etc.

"one of the most difficult threats to guard against"

Why?

Errors in softwareErrors in software

• Web projects often have short development times

• Effects of errors in software– service unavailability– security breaches– financial losses– poor service to customers

Common causes of errors

Common causes of errors

• Poor specifications

• Assumptions made by developers– Data will be valid, will not contain unusual

characters, or will be less than a certain size

– Assumptions about timing of events

• Poor testing

Secure codingSecure coding

Is the strcpy function in C and C++ a security problem?

"Historically, the operating system or application level weaknesses exploited by crackers have usually been related either to buffer overflows or race conditions."

RepudiationRepudiation

• "when a party involved in a transaction denies having taken part"

• Issues:– Authentication– Tamperproof messages

• E-commerce companies get certificates

• Customers do not have certificates

Balancing Usability, Performance, Cost, and

Security

Balancing Usability, Performance, Cost, and

Security• Competing goals

• Ask yourself:– How valuable is your information?– What is your budget?– How many visitors do you expect to serve?– What obstacles will users put up with?

Authentication Principles

Authentication Principles

Authentication: proving that someone is who they claim to be

What authentication techniques are you familiar with?

Which are in common use on the web?

Authentication techniques

Authentication techniques

• passwords

• digital signatures

• biometric techniques

• hardware– smart cards, keys, etc.

• documents– passport, driver's license, etc.

What are biometric techniques?

Authentication techniques

Authentication techniques

• passwords

• digital signatures

• biometric techniques

• hardware– smart cards, keys, etc.

• documents– passport, driver's license, etc.

Only these two are commonly used with web applications.

PasswordsPasswords

• Simple concept that is widely used.

• Secure as long as no one else finds out the password.

What are the advantages and disadvantages of using passwords?

Advantages of passwords

Advantages of passwords

• Simple, cheap, and easy

• Relatively effective

Disadvantages of passwords

Disadvantages of passwords

• Passwords can be captured from file or network traffic (especially unencrypted)

• Many passwords are easily guessed– Educate users

– Enforce password selection policy

What happens if you force selection of hard-to-remember passwords?

user name fred

password k3%mq9

How users remember hard-to-remember passwords

Creating passwordsCreating passwords

• Random character strings

• Combination of two short words with special characters or digits

• First letter in phrase or line from song

• Dicewarehttp://world.std.com/~reinhold/diceware.html

HTTP basic authentication

HTTP basic authentication

• Server requests authentication info

• Browser stores details and gives to server with each request

• Transmits user id and password in clear

• Set up realm name, user names, passwords

Problems with basic authentication

Problems with basic authentication

• No secure identification of host

• Cracker can replay request

• Cracker can capture packets and obtain password– HTTP provides digest authentication which

uses MD5 to "disguise the details"--slightly more secure than plaintext

Basic authentication with Apache

Basic authentication with Apache

• Can use .htaccess file in directory– Server must parse file with every request

• Can also use httpd.conf file– more efficient than .htaccess

• Use htpasswd command to create password file– encrypts passwords

Encryption basicsEncryption basics

"An encryption algorithm is a mathematical process to transform information into a seemingly random string of data."

PlainText

EncryptionAlgorithm

CypherText

One-way encryptionOne-way encryptionEncryption algorithm is not reversible for one-way encryption.

When is one-way encryption useful?

PlainText

EncryptionAlgorithm

CypherText

Two-way encryptionTwo-way encryption• Decryption algorithm recovers plain text.

• Encryption and decryption require same key

EncryptionAlgorithm

CypherText

PlainText

DecryptionAlgorithm

PlainText

Key

Public key encryptionPublic key encryption• Two keys:

– Private key is secret– Public key is distributed freely

EncryptionAlgorithm

CypherText

PlainText

DecryptionAlgorithm

PlainText

Public key Private key

Digital signatureDigital signature• Encrypt with private key

– Usually only encrypt message digest (hash)

• Decrypt with public key to verify

EncryptionAlgorithm

CypherText

PlainText

DecryptionAlgorithm

PlainText

Public keyPrivate key

Digital CertificatesDigital Certificates

• Issued by certifying authority (CA)– e.g. Verisign, etc.

• Signed by CA (encrypted with private key)

• Includes server's public key

• More later with secure transactions

Other security issuesOther security issues

• Auditing and logging

• Firewalls

• Data backups

• Physical security