class 5 privacy security

8/4/2019 Class 5 Privacy Security

http://slidepdf.com/reader/full/class-5-privacy-security 1/34

CPSC 101

Privacy and Security



Learning GoalsBy the end of this unit, you will be able to:

Define “computer security” in terms of the C-I-A principles

Explain how we uphold the C-I-A principles, and give examples of what that means in

simple administrative systems Lists the types of ways in which computer security can be compromised

List the risks associated with computers, and the vulnerabilities that have been identifiedhere

Describe the differences between viruses, trojans and worms. Describe goals and techniques of hackers and understand basic ways of dealing with

them.

Differentiate different online activities among associated risk (i.e. online banking is arelatively safe activity-- explain why)

Define encryption and the Caesar Cipher; translate an encoded message given a key usingthis cipher

Differentiate between black box and white box security and their relative merits.

Respect the danger; be responsible computer users! Explain why computer security is

important. Justify your behavior as a responsible computer user.



Defining Computer Security Computer and network security are built upon three general

principles (C-I-A):

Confidentiality

Data is kept hidden from all but those authorized to view it

Integrity

Data remains in the same state as it was left by the last authorized user; cannot

be corrupted either accidentally or maliciously

Availability

Data is accessible to authorized users as necessary, in a convenient format, and

without unreasonable delay



Defining Computer SecurityCentral to upholding the C-I-A are the following:

Identification

Who do you say you are?

Authentication

How do I know it’s really you?

Authorization Now that you are here, what are you allowed to do?

Accountability

Who did what? Who’s responsible? When did they do it?



Defining Computer SecurityExample, “keep-it-simple” administration:

Identification

Username

Authentication

Password

Authorization Accessibility restrictions

Accountability

Record major actions of the user in the previous 7 days

What is wrong with this? How do I break in?



Defining Computer SecurityExample, high-security administration:

Identification

Username

Authentication

Biometric reader (retina, finger print, voice analysis)

Password

Authorization

Accessibility restrictions

Accountability Record all actions taken by the user indefinitely.



Computer Security1. Write the names and student IDs of the 2-4 students

participating on one sheet of paper.

2. List 3 examples of computer security threats or issues.

3. List 2 ways of dealing with each type of threat.

4. Come up with a definition of “Computer Security”.



Computer Security BasicsMajor computer security issues:

Identity theft / Personal theft Viruses / Trojans / Worms

Spyware / Adware

National security Privacy concerns

Protecting our children

Hackers / Software crackers Spam / email fraud / spoofing



Types of Threats Unintentional threats:

Carelessness causes more problems than you might first imagine.

In general, more information is lost/compromised through acts of

carelessness than through acts of malice!

What are the major threats from carelessness?

Intentional threats:

The reality is the average user is not only incapable of mounting a

serious attack on a computer, but likely completely disinterested in

doing so.

Nonetheless, criminals and vandals who are capable and desirous do

exist.

Natural threats



Vulnerability

The onset of broadband-- rapid, personal Internet

connections-- has changed our risk factors

Now we have everyday users with computers at home, connected tothe Internet, and running 24/7

i.e. targets!

It is estimated that the between the initial set up of a computer andthe first attack is < 2 minutes!

This can happen before you have time to install countersoftware!

New computers can have viruses within minutes!



VulnerabilityTypes of vulnerability:

Physical

Theft, sabotage, vandalism of physical hardware

Locks, guards and biometrics can be put in place to reduce

Natural

Environmental threats (dust, humidity, temperature/power fluctuations),

natural threats (lightning, fires, floods), natural disasters (floods, earthquakes) Hardware/software vulnerabilities

Exploitation by hackers/crackers



VulnerabilityOther types of vulnerability:

Media

Lost/damaged backup media; “erasing data”; media degredation

Communication Intercepting data/messages (electronic eavesdroppers)

Humans!

What if your network admin decides on a life of crime? What if someone writes down a key password and loses it?



Vulnerability

That is, your system may be participating in illicit behaviour without

your knowledge.Examples include:

Distributed Denial of Service attacks (DDoS), where a target is bombarded with requests so as to overwhelm and disable the system

Email Relays where your system is used to relay spam or even

pornography-- such messages look like they come from you!

Illicit Website Hosting where your computer may be hosting web

sites that you’re not aware of.



Hacking / Cracking A word with lots of history. Some attempts have been made

to differentiate “hacking” from “cracking” by emphasizing that

hacking is non-destructive.

Overall, the key goals for hackers are to:

Gain unrestricted or root access and the installation of a back

door which provides easy future access to the system.

Search for valuable data like passwords, credit card numbers, or

important files.

Sometimes and, in the best case, simply entertainment.



Hacking / Cracking Techniques Dictionary Attack: beat a password by using a massive dictionary of the most

common passwords.

Port / File Scanning: identifying vulnerable programs that are listening to

network ports or files that have incorrect access controls and using them. Packet Sniffing: intercepting and reading network traffic and looking for

valuable data like passwords or credit card numbers.

Code Injection Attacks: sending a malformed message to a program that

causes actions that are unwanted. Shoulder surfing: finding passwords by literally watching people type them.

Password gathering: using passwords from one system to break into othersystems.

Default exploits: a technique for accessing a system by exploiting defaultpasswords that may be left unchanged.

Why am I teaching you this? (Hint: no, I’m not trying to make you ahacker)



“Viruses” Virus is a term that is often incorrectly used to describe

several varieties of malicious programs:

Virus: fairly uncommon in modern computing. True virusesare programs that spread through human intervention such as

infecting an USB drive or email. Commonly and incorrectly

used as a name for all malware programs. Trojan: a very common type of malware. Trojans are programs

that pretend to be another program.

Worm: another common type malware. Worms are malwareprograms that move automatically from computer to computer.



Privacy and Authentification: Email Email travels through several layers of systems in its journey

from sender to recipient

In theory, anyone with the right level of access and technical expertise

can read your email without you ever knowing

Email typically contains the address of the sender, however these

addresses can be forged

Ever receive spam that looks like it’s from someone you know?



Privacy and Authentification: EmailHow can we protect ourselves?

Emails with highly sensitive content simply should not be sent

Give credit card information over the phone during a call that

you place.

If you must send sensitive content, send an encrypted message

Thus, if it is intercepted, the perpetrator will see only an

encrypted message

What does both of these assume?



Privacy and AuthentificationHow can we protect ourselves?

Choose your passwords wisely!

Don’t use obvious words Don’t use single words

Intentionally misspell a word or use acronyms

Choose passwords at least 8 characters long

Mix upper and lower case

Add numbers, punctuation marks, or symbols

Don’t write your password down or tell anyone

Change your password regularly



Online banking, etc. What are our concerns?

How do we know when we are doing our online banking that

our data is really safe?

What do banks do to protect us?

Is our data safe even on our own computers?

Let’s take a look at how banks protect us (and themselves)...



Shh… It’s a secret! First, banks use something called 128-bit encryption

Encryption refers to a process of hiding data such that the

original information can only be recovered through thecorresponding decryption process.

The science of encryption-decryption is called cryptography

In general, the algorithms for these method are publicly available

Wait a second! Publically available? Wouldn’t it be better if thealgorithms were secret?



Black Box vs White Box Security Black box security: Information about the security

techniques are hidden to prevent vulnerabilities from being

detected. Problem: you are assuming that your information stays hidden.

White (or Clear) box security: Information about the

security is publically available.

If you are safe with white box security, your system is truly

secure since are not relying on information remaining secret.

White box security encourages examination and early detection

of threat by ethical hackers.



Shh… It’s a secret!If the cryptography algorithms are public, then how is our

data safe?

Through the use of a key

Sample key: 0001000 10101010 00101000 01101110

An encrypt. algorithm takes the original message and the key,

and uses the key to alter the original message based on the

contents of that key

Thus, even if you have the decryption algorithm, you cannot

decrypt a message without the key!

It’s the keys that must be top secret!



Caesar Cipher The Caesar Cipher is one of the earliest examples of

cryptography supposedly invented by Julius Caesar

A cipher is a means of transforming text in order to contain it’s meaning

Caesar would take the alphabet and shift it a certain number of

spaces

For example, if the shift was 3, then A would become D, B would be

E, etc.

The key was then the shift factor (how much you shifted)



Caesar CipherFor example, a shift-factor of 3 (key == 3) would change the

following message

THIS IS MY FAVOURITE CLASS!

to...

WKLV LV PB IDYRXULWH FODWW!

If we take out the punctuation and spaces...

WKLVLVPBIDYRXULWHFODWW



Back to online banking So how does the bank use this?

They use a key that is 128-bits long... that is...

XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX



XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX... zeros and ones

This key is so powerful that it is currently the highest available

(legally) Stealing information encrypted at this level is virtually impossible



Virtually impossible?Well, unless you’re planning on living forever and have a lot of

time on your hands...

Consider this... using 128-bit keys: There are 2128 possible keys

That is, 340,282,366,920,938,463,463,374,607,431, 768,211,456 possible

combinations of ones and zeros If we assume we can test 60 keys a second, that’s

567,137,278,201,564,105,722,910,123,862,803,524 seconds

Or, 94,522,879,700,260,684,295,381,835,397,713,392 minutes Or, 1,575,381,328,337,678,071,589,697,256,628,556 hours

Or, 65,640,888,680,736,586,316,237,385,692,856 days

Or, 179,838,051,180,100,236,482,842,152,583 years



Wow, so it’s bullet proof right?Well, not exactly. The encryption itself is essentially impossible to

break...

..but what matters is where the security measures are being applied All of your data that is transferred over the Internet has to be secured

to this level

How can you be sure that the encryption technique is really so hardto break? Mathematical tricks have broken several previous

encryption techniques.

How can you tell if data is encrypted? Look for the padlock, orsimilar symbol indicating that all content sent to or from this site is

encrypted. Check the company for more information on what bit

encryption they use.



To make things even stronger… Encryption ensures that someone cannot break in or

intercept your banking data

Banks also use PINs (personal identification numbers) andpasswords

This means that someone can’t pretend to be you, without logging

in as you Here’s where good password choices are important

Companies through whom you may purchase or otherwise

provide banking information also use direct-modem connections

Direct connections that are not through the Internet



What’s a user to do?It’s a scary world out there, admittedly...

You need to worry about power failures, natural disasters, making

backups, worms, trojans, physical theft.

You need to worry about computer abuse and the unwittingly role

you may play if you do not adequately protect your computer.

If you are on a network, you must observe network security and

access restrictions.



What’s a user to do?Recognize your responsibility!

If you operate a computer of any kind then you share a responsibility

for computer security

Run virus software and keep it up-to-date

Run a firewall to protect your system from unwanted visitors, and

keep up-to-date

Practice responsible web surfing and email browsing

Never click on a link in an email unless you are sure of the

sender/source; if you’re not sure, email your friend and ask for

confirmation

Never respond to email phishing; this includes “unsubscribe”

requests!



What’s a user to doRecognize the real threats...

The likelihood of your data being stolen through an encryptedsite, such as a banking website, or online store, is extremelyslim

But first do your research and ensure that they have adequateencryption

Also check for the padlock before ever entering/submittingdata

Most data is compromised due to carelessness and irresponsible

computer users Ask yourself: is that you?



Summary

There are different levels of risks associated with

computers

We must understand those risks and our responsibilitieswith upholding computer security

There are many types of computer vulnerabilities, andmany ways to respond to each of those vulnerabilities

Still, many aspects of computing are safer than we may

initial think, such as online banking



Learning GoalsBy the end of this unit, you will be able to:

Define “computer security” in terms of the C-I-A principles

Explain how we uphold the C-I-A principles, and give examples of what that

means in simple administrative systems

Lists the types of ways in which computer security can be compromised

List the risks associated with computers, and the vulnerabilities that have

been identified here

Differentiate different online activities among associated risk (i.e. online

banking is a relatively safe activity-- explain why)

Define encryption and the Caesar Cipher; translate an encoded message given

a key using this cipher

Respect the danger; be responsible computer users! Explain why computer

security is important. Justify your behaviour as a responsible computer user.

class 5 privacy security

Documents