Computer SecurityPrior to networking, this was often done by having the data/machines in a locked roomRequirementsConfidentiality Information can only be accessed by authorized peopleIntegrity Modifications can only be done by authorized peopleAvailability System can be used by authorized peopleAuthenticity System can verify a users identityThreatsInterruption System cant be usedInterception Read unauthorized dataModification Tamper with dataFabrication Insert counterfeit objects into a system

Attacks on AssetsHardwareMain attack is availabilitySoftwareAvailabilityDelete programsSecrecyCopying programsIntegrityTrojans/virusesDataAvailabilityDelete filesSecrecyReading unauthorized filesUsing statistical analysis to get dataGet average of A, B & C and average of A & BMay need to work with raw data to create some combinationsIntegrityModifying files

Attacks on CommunicationPassiveRelease of message contentssniffers Look at all messages in an attempt to discover passwordsTraffic AnalysisWho is talking to who?ActiveMasqueradePretend to be somebody elseMan in the Middle attacksReplayRepeat valid sequencesTends to imply some use of masqueradeModification of messagesTransfer $100.00 to Transfer $900.00Denial of servicePrevent use of the system

ProtectionNeed to protect:MemoryI/O devicesProgramsDataLevels of protection:No protectionIsolation Each process is separateShare All/Share Nothing Can declare an object public or privateShare via access limitations Check each access to see if it is permittedShare via dynamic capabilities Allow dynamic creation of sharing rightsLimit use of an object Can limit based on the use (display vs. print)

ProtectionMemoryProtection also provides correct operation in addition to securityVirtual Memory helps separate processesCan only access pages in your page tableCan share pages by putting them on both page tablesIBM 370Each page has a 4-bit protection key, fetch protection bitCPU and I/O devices use a matching key when accessing memoryUser-orientated access controlAuthenticating usersCommonly done using id and passwordConcern about eavesdroppingMay be centralized (network does logon) or distributed (each host handles logon)May also limit who can access the network as a whole

Data-orientated controlEach user has permitted actionsAnyone in administration can see the list of employees, but only personnel staff can change someones salaryAccess matrix (Subjects x Objects)Subject Entity that can access objectsObject Anything to which access is controlledAccess Right The way the object is accessed by the subjectGenerally matrix is sparse, so stored in a different fashion:Access Control ListWho is allowed to do something with this objectCapability ListWhat can this user do?

IntrudersClasses:Masquerader Someone who exploits the account of a legitimate userMisfeasor A legitimate user who does things that are not authorizedClandestine User Someone who gets supervisor control, uses it to evade or suppress auditing/access controlsMay be benign or maliciousStoring PasswordsOne-way encryption Take the users password and encrypt it in a way that cannot be reversed.Access control Only the system and one or two users can read the password file

Learning PasswordsTry system default passwordsMany people dont change passwordTry all short passwords (1-3 chars)Try common words (dictionary attack)Try name, spouses name, children, phone numbers, license plate, etc.Try variants (1-L, reverse, etc.) of dictionary words, name, etc.Trojan horse to bypass securityProgram to copy password fileCreates special programs to allow later access by a userTap line between user and hostSniffing packets may work here

PasswordsUser ID generally used for determining who should have access, and what rights they haveUnix Passwords:User password converted to 56 bitsAdd a salt of 12 bitsRandomly selected when the user changes the passwordMeans the same password chosen by different users will usually be differentSalt is stored with the password so it is available when a password is entered.Salt + Password used as the key in a modified DES algorithmGuessing programs may use more efficient versions of the algorithm

Password StudyCollected nearly 14,000 encrypted passwordsStrategy:Try user info variantsTry words from 60,000 entry dictionaryTry permutations of above (0-O, 1-L, etc.)Try various capitalization of aboveTable 15.3 (page 663)

Sheet1

Percentage of

NumberPasswords

Type of PasswordSearch Sizeof MatchesMatched

User/account name1303682.70%

Character sequences866220.20%

Numbers42790.10%

Chinese392560.40%

Place names628820.60%

Common names2,2395484.00%

Female names4,2801611.20%

Male names2,8661401.00%

Uncommon names4,9551300.90%

Myths and legends1,246660.50%

Shakespearean473110.10%

Sports terms238320.20%

Science fiction691590.40%

Movies and actors99120.10%

Cartoons9290.10%

Famous people290550.40%

Phrases and patterns9332531.80%

Surnames3390.10%

Biology5810.00%

System dictionary19,6831,0277.40%

Machine names9,0181321.00%

Mnemonics1420.00%

King James bible7,525830.60%

Miscellaneous words3,212540.40%

Yiddish words5600.00%

Asteroids2,407190.10%

TOTAL62,7273,34024.20%

Sheet2

Sheet3

Protecting PasswordsAccess ControlKeep the password file secretWhat if someone gets in by some means?Bugs may result in users getting part/all of the password fileWhat if the password file cant be read?Users may use the same password on multiple machinesGenerating good passwordsEducate users (poor for universities)Computer-generated passwordsTends to be hard to rememberFIPS PUB 181 Make pseudo-wordsRun password checker on the systemCheck passwords as they are changedIf too strict, users will complain

Intrusion DetectionAssume protections will fail, check if something odd is going onMay be able to remove an intruder before any damage happensHelps be a deterrentHelps strengthen protectionsBased on idea that intruders tend to do different things than an ordinary userStatistical detectionNote when an event occurs oftenNote when an event occurs more often that usual for that userRule-based detectionNote changes from previous usageNote suspicious behavior

AuditingRecord of ongoing activityMost systems include auditing filesIntruder detection system may have additional filesDetection-specific audit recordsSubject Who is doing the action?Action What is being done?Object What is being used?Exception condition Any problems?Resource usageTimestamp When did it happen?Each record refers to an elementary actionEasier to detect intrusionsSimplifies model and implementation

Malicious ProgramsTypes (Figure 15.7, pg. 670)

Note: definitions of these terms are not agreed upon. See how someone is using a termSome articles define Virus to include Trojan Horse

ThreatsTrapdoorSecret entry point into a program that bypasses normal securityMay be put in for the convenience of the programmer, then forgottenHave been inserted under the guise of system updatesLogic BombCode embedded in a program to do something under certain conditionsIf I am not an employee, delete YYYYTrojan HorseApparently useful program that performs some hidden thing on the sideGame that secretly copies a system fileClassic Example: login program that allows a special password (Thompson)http://www.acm.org/classics/sep95/

Threats 2VirusA section of code that can replicate itselfAttached to a program or part of the operating systemWormUses network connections to spread from system to systemMay use:EmailRemote execution capabilityRemote login capabilitySearches the Internet, starts copies on the other systemZombieSecretly takes over an Internet-attached computer, uses it to attack another systemOften used for denial-of-service attacks

VirusesTypical Stages:Dormant Sits idle waiting for some event (not all viruses have this stage)Propagation Copies itself into other programs or system areasTrigger Some event activates the virusExecution Virus displays message, destroys files, etc.Types of virusesParasitic Adds itself to executable filesMemory-resident Resides in main memory, attaches itself to filesBoot Sector Spreads when the O.S. is started from a disk with the virusStealth Tries to hide itself Polymorphic Mutates as it spreadsUsed as an attempt to hide from scanners

VirusesMacro VirusesTake advantage of macro features in Word, Excel, or OutlookO.S. IndependentInfect documents, not programsEasy to spread, especially by emailRequires autoexecute capabilityRuns when document loaded or on a specific eventOften copy themselves to global macro fileAntivirus ApproachesPrevention Try to locate a virus before it can infect a systemDetection Determine if a virus has infected the systemIdentification Determine the specific virus involvedRemoval Eliminate all traces of the virus and restore the system to the original state

Antivirus ProgramsEarly programs looked for specific bit patternsLater program used heuristics to check for virus infectionsSome use a hash to verify the program integrityGeneric DecryptionUses a software-based virtual computerCPU EmulatorVirus Signature ScannerEmulation Control ModuleInterprets the target code, but prevents any changes to the host systemLooks for known signatures or virus-like behaviorMust balance quick response and thorough testing

Antivirus ProgramsDigital Immune SystemTries to respond to Integrated mail and Java/Active-X attacksMonitoring program uses a variety of heuristics to decide if a virus is presentIf any suspicious is forwarded to a central analysis machineCentral analysis machine creates a protected environment to test the suspect program more thoroughlyDetermines the appropriate responseResponse sent back to client, and other clients in the systemEmail VirusesWritten as a Word/Outlook macroSends itself to everyone in the users address bookAllows viruses to propagate quickly

Trusted SystemsMay want several levels of securityUnclassified, Classified, Secret, Top Secret, Individuals may be cleared to a given level on particular projectsRules to enforce:No Read Up All reads must be from equal or lower security objectsNo Write Down All writes must be to equal or higher security objectsTrojan cannot stash data in a hidden fileReference MonitorComplete Mediation Check privileges on every accessIsolation Must be isolated from user modificationVerifiability Prove it is secureComputer Security Center Encourage widespread available of trusted systems

Network SecurityAttack locations:Communication linksNetwork nodes along the path takenInside the systems at either endLocating Encryption DevicesLink EncryptionEncrypts the message on each linkDoesnt protect against a faulty nodeEnd-to-EndRemains encrypted until destinationRouting information must be unencryptedBothKeep message contents secure at all timesRouting information secure except when the message is at a nodeMay use dummy messages to protect against traffic analysis

Private-Key EncryptionEncryption - scramble a messagePlaintext Meet Joe at 6PMCiphertext C5QE 6JX7 NLGYSimple algorithms:Substitution: ABCD QWERTransposition ABCD DACBKey - Used to customize a generic encryption routine.An enemy should not be able to determine the key even if the plaintext is known.Brute Force Try all possible keys to find one that works. Low security: 40 bit keys, high: 100+ bitsDES (1977) 56-bit key, 64-bit blockTriple-DES (EK1/DK2/EK3) 112-bit (K1=K3) or 168-bit (K1K3) keyRijndael (2001)Advanced Encryption Standard winnerVariety of key and block lengths (128+ bits)http://www.nist.gov/encryption/aes/

Key DistributionConventional encryption requires the parties to share a secret key.Achieving a shared secret key:A selects a key, sends courier to BThird party C selects a key, sends couriers to both A and BA uses a previous key to send a new key to B Dangerous if a key brokenA and B have previously established encrypted connection to C, C creates a key, sends to both Session Key A key used for the duration of one session, then discardedPermanent Key A key used for the purpose of distributing session keysKey Distribution Center Verifies who can communicate, creates session keys

Public-Key EncryptionTwo-part key, with a public encryption key and a different private decryption key hard to get one from the otherRSA (1977)Choose two primes p, q, let n=pqSelect d relatively prime to (p-1)(q-1)Compute e so de=1 mod (p-1)(q-1)n should be 1000 or more bits longExample: p=211, q=311, n=65621, e=157, d=8293Encrypt: plaintexte mod nHi = 4869h = 1853718537157 mod 65621 = 61157Decrypt: ciphertextd mod n611578293 mod 65621 = 18537We often use RSA to send a DES or AES key that encrypts the data.Digital SignaturesSignature contains hash, time stamp, etc.Sign by decrypting the signature

Breaking ProtocolsMay be able to get information without breaking the encryptionBribe an employeeAsk Can you remember my PIN?Look through the trash (or newly allocated memory/disk blocks)Overlook someones shoulder to get their PIN, use discarded slips for account #Change address, request new card, change the address backMany common random-number generators are not safe for encryptionSend carefully-chosen random values, or share them with othersDecode signals emitted from CRTsOften involves two or more events

Win 2000 SecurityEach process has an access tokenCreated when the user logs inChildren inherit the tokenToken holds security information for the userPrivileges normally disabledprocesses can be enabled when necessaryIncludes:Security ID (SID)Group SIDsPrivilegesDefault Owner Who owns new objectsDefault Access Control List (ACL)Security DescriptorFlags Type and contentsOwnerSystem ACL What generates audit msgsDiscretionary ACL Who can access it?

Access Control ListOverall header, and variable number of access control entriesIndividual or Group SIDAccess Mask Defines rights to be grantedTop 16 Mask bits (figure 15.12, pg 686)Synchronize Wait() functionWrite_owner Can modify the owner of the objectWrite_DAC Modify the DACLRead_Control Query the owner and DACL fields of the security descriptorDelete Can delete the objectGeneric_all, Generic_execute, Generic_read, Generic_writeAccess_System_Security Modify auditToken must also have this bit setMaximum_Allowed Look at entire DACL, not just for the first entry that fitsWhen using an object, may ask for a