View
216
Download
0
Tags:
Embed Size (px)
Citation preview
SECURITYSECURITYChapter 15
CNS 3660
CrackersCrackers
"malicious computer users"
Varying intentions and abilities
What motivates people to break into computer systems?
Also: Does it matter what their motivations are?
MotivationMotivation
• a challenge
• notoriety
• ideological"cyber warfare"
• steal money
• free goods and services
• fun
Stopping crackersStopping crackers
• Back up important information
• Have hiring policies that attract honest and loyal staff
• Choose secure software and keep it up to date
• Train staff to identify weaknesses
• Use audits and logs to detect break-ins
"Most successful attacks on computer systems take advantage of well-known weaknesses such as easily guessed passwords, common misconfigurations, and old versions of software."
How important is your information?
How important is your information?
• Hobby user
• Business
• Bank
• Military
Why would crackers break into a hobby system?
"Even the computer with the least interesting data still has significant appeal as an anonymous launching pad for attacks on other systems."
Security ThreatsSecurity Threats
• Exposure of
confidential data
• Loss of data
• Repudiation
• Modification of
data
• Denial of service
• Errors in software
Exposure of confidential data
Exposure of confidential data
• Don't store secret info on web server– Info that is provided to the public– Info that has recently been collected from the
public
• Remove unnecessary services
• Design, configure, code and test carefully
• Require authentication
• Use encryptionMore on these two subjects later
Loss of dataLoss of dataBreak-ins, careless employees, hard drive crash
• Back up your data
Keep back ups away from your computer– Safe deposit boxes in two different cities– Source code, compiler, OS, etc.– Copy of thesis in seven different places (car,
freezer, etc.)
• Test your recovery procedure
Modification of dataModification of data
Prevent:
File permission facilities of OS
Encryption
Detect: can be difficult
Checksums
Store off-line
Recover:
Logs and back-ups
Denial of service (DoS)Denial of service (DoS)
someone's actions make it difficult or impossible to users to access a service
Year 2000 attacks on eBay, Amazon, Yahoo!, etc.
"one of the most difficult threats to guard against"
Why?
Errors in softwareErrors in software
• Web projects often have short development times
• Effects of errors in software– service unavailability– security breaches– financial losses– poor service to customers
Common causes of errors
Common causes of errors
• Poor specifications
• Assumptions made by developers– Data will be valid, will not contain unusual
characters, or will be less than a certain size
– Assumptions about timing of events
• Poor testing
Secure codingSecure coding
Is the strcpy function in C and C++ a security problem?
"Historically, the operating system or application level weaknesses exploited by crackers have usually been related either to buffer overflows or race conditions."
RepudiationRepudiation
• "when a party involved in a transaction denies having taken part"
• Issues:– Authentication– Tamperproof messages
• E-commerce companies get certificates
• Customers do not have certificates
Balancing Usability, Performance, Cost, and
Security
Balancing Usability, Performance, Cost, and
Security• Competing goals
• Ask yourself:– How valuable is your information?– What is your budget?– How many visitors do you expect to serve?– What obstacles will users put up with?
Authentication Principles
Authentication Principles
Authentication: proving that someone is who they claim to be
What authentication techniques are you familiar with?
Which are in common use on the web?
Authentication techniques
Authentication techniques
• passwords
• digital signatures
• biometric techniques
• hardware– smart cards, keys, etc.
• documents– passport, driver's license, etc.
What are biometric techniques?
Authentication techniques
Authentication techniques
• passwords
• digital signatures
• biometric techniques
• hardware– smart cards, keys, etc.
• documents– passport, driver's license, etc.
Only these two are commonly used with web applications.
PasswordsPasswords
• Simple concept that is widely used.
• Secure as long as no one else finds out the password.
What are the advantages and disadvantages of using passwords?
Advantages of passwords
Advantages of passwords
• Simple, cheap, and easy
• Relatively effective
Disadvantages of passwords
Disadvantages of passwords
• Passwords can be captured from file or network traffic (especially unencrypted)
• Many passwords are easily guessed– Educate users
– Enforce password selection policy
What happens if you force selection of hard-to-remember passwords?
user name fred
password k3%mq9
How users remember hard-to-remember passwords
Creating passwordsCreating passwords
• Random character strings
• Combination of two short words with special characters or digits
• First letter in phrase or line from song
• Dicewarehttp://world.std.com/~reinhold/diceware.html
HTTP basic authentication
HTTP basic authentication
• Server requests authentication info
• Browser stores details and gives to server with each request
• Transmits user id and password in clear
• Set up realm name, user names, passwords
Problems with basic authentication
Problems with basic authentication
• No secure identification of host
• Cracker can replay request
• Cracker can capture packets and obtain password– HTTP provides digest authentication which
uses MD5 to "disguise the details"--slightly more secure than plaintext
Basic authentication with Apache
Basic authentication with Apache
• Can use .htaccess file in directory– Server must parse file with every request
• Can also use httpd.conf file– more efficient than .htaccess
• Use htpasswd command to create password file– encrypts passwords
Encryption basicsEncryption basics
"An encryption algorithm is a mathematical process to transform information into a seemingly random string of data."
PlainText
EncryptionAlgorithm
CypherText
One-way encryptionOne-way encryptionEncryption algorithm is not reversible for one-way encryption.
When is one-way encryption useful?
PlainText
EncryptionAlgorithm
CypherText
Two-way encryptionTwo-way encryption• Decryption algorithm recovers plain text.
• Encryption and decryption require same key
EncryptionAlgorithm
CypherText
PlainText
DecryptionAlgorithm
PlainText
Key
Public key encryptionPublic key encryption• Two keys:
– Private key is secret– Public key is distributed freely
EncryptionAlgorithm
CypherText
PlainText
DecryptionAlgorithm
PlainText
Public key Private key
Digital signatureDigital signature• Encrypt with private key
– Usually only encrypt message digest (hash)
• Decrypt with public key to verify
EncryptionAlgorithm
CypherText
PlainText
DecryptionAlgorithm
PlainText
Public keyPrivate key
Digital CertificatesDigital Certificates
• Issued by certifying authority (CA)– e.g. Verisign, etc.
• Signed by CA (encrypted with private key)
• Includes server's public key
• More later with secure transactions
Other security issuesOther security issues
• Auditing and logging
• Firewalls
• Data backups
• Physical security