cyber crime and internet security - cse, iit bombaysiva/talks/ips07.pdfcyber crime and internet...

. . . . . .

The Good The Bad The Ugly?

.

.

. ..

.

.

Cyber Crime and Internet Security

िशवकुमार G. Sivakumar வ மா

Computer Science and Engineering

भारतीय ौ ोिगक सं थान मुबंई (IIT Bombay)[email protected]

October 7, 2007

The Good (Web 1.0, 2.0, 3.0)

The Bad (CyberCrime, Laws)

The Ugly? (Security, Forensics)

िशवकुमार G. Sivakumar வ மா Computer Science and Engineering भारतीय ौ ोिगक सं थान मुंबई (IIT Bombay) [email protected]


. . . . . .


.. The Good side first!

How is learning affected?िशवकुमार G. Sivakumar வ மா Computer Science and Engineering भारतीय ौ ोिगक सं थान मुंबई (IIT Bombay) [email protected]


. . . . . .


.. Internet’s Growth and Charter

Information AnyTime, AnyWhere, AnyForm, AnyDevice, ...WebTone like DialTone



. . . . . .


.. Search Engines and Page Rank

How to drink water from a firehose?

Search Engines (google) crawl the web for us.

Recall (all available?) and Precision (all relevant?)

How to rank the pages? (syntactic?)

Reliability/Trust/Security issues

.What do profs do?.... ..

.

.

Visit www.phdcomics.com to find out!



. . . . . .


.. Web 2.0 Definition (O’Reilly)

.Web 2.0..

.

. ..

.

.

Web 2.0 is the network as platform, spanning all connected devices;

delivering software as a continually-updated service that gets better the

more people use it, consuming and remixing data from multiple sources,

including individual users, while providing their own data and services in

a form that allows remixing by others, creating network effects through

an architecture of participation, and going beyond the page metaphor of

Web 1.0 to deliver rich user experiences.

.Examples..

.

. ..

.

.

RSS/Blogs/FeedReaders, Slashdot/Digg, Wikipedia (printingpress: people can read, Web2.0: people can write!)Mashups- ingeniously combining web services e.g. Google Maps inother applications e.g. Mumbai Navigator



. . . . . .


.. Semantics and Intelligence (Web 3.0)

Collaboration is necessary, but is it sufficient?Want to know

When cheap Mumbai-Chennai round trips are available

with package tours to Mahabalipuram, if possiblebut not on weekdays...

Whenever new articles on chess appear

only in English, Tamil or Germanbut other langauges ok if it is about V. Anand!but not written by ......

Two margas for moksha

Monkey way is Web 1.0/2.0 (syntactic web)

Cat way is Web 3.0 ( sematic web )



. . . . . .


.. Desired Goal



. . . . . .


.. What are Cyber crimes?

.Cybercrime..

.

. ..

.

.

Activity in which computers or networks are a tool, a target, or aplace of criminal activity. These categories are not exclusive.

Examples

Against People

Cyber Stalking and Harrassment(Child) PornographyPhishing, Identity Theft, Nigerian 419

Against Property

CrackingVirus and SpamSoftware/Entertainment PiracyTrade secrets, espionage

Cyber Terrorism!

Hactivism! (in some countries!)Information Warfareिशवकुमार G. Sivakumar வ மா Computer Science and Engineering भारतीय ौ ोिगक सं थान मुंबई (IIT Bombay) [email protected]


. . . . . .


.. Security Concerns

Match the following!Problems Attackers

Highly contagious viruses Unintended blundersDefacing web pages Disgruntled employees or customers

Credit card number theft Organized crimeOn-line scams Foreign espionage agents

Intellectual property theft Hackers driven by technical challengeWiping out data Petty criminalsDenial of service Organized terror groupsSpam E-mails Information warfare

Reading private files ...Surveillance ...

Crackers vs. Hackers

Note how much resources available to attackers.



. . . . . .


.. Internet Attacks Timeline

From training material at http://www.cert-in.org.in/



. . . . . .


.. Internet Attack Trends

From training material at http://www.cert-in.org.in/



. . . . . .


.. Indian IT Act 2000

Basic Legal Framework

Electronic documents, signatures as evidence

Cyber Crimes & Punishments

Secn 43: Damage to Computers/NetworkSecn 65: Tampering source codeSecn 66: “Hacking” (cracking)Secn 67: Obscenity (bazee.com!)Secn 69: Interception

Several Initiatives (PKI, CERT-IN, Cyber cells, ...)



. . . . . .


.. cert-in.org.in



. . . . . .


.. Aug 2007 incidents



. . . . . .


.. Web Site Defacements



. . . . . .


.. CyberCellMumbai.com



. . . . . .


.. Cybercrime.gov



. . . . . .


.. www.dc3.mil



. . . . . .


.. CrimeResearch.org

Note emphasis on National Security and Economy



. . . . . .


.. We’re all International!



. . . . . .


.. InterPol



. . . . . .


.. onguardonline.gov



. . . . . .


.. Vulnerabilities

Application Security

Buggy codeBuffer Overflows

Host Security

Server side (multi-user/application)Client side (virus)

Transmission Security



. . . . . .


.. Denial of Service

Small shop-owner versus Supermarket

What can the attacker do?

What has he gained orcompromised?

What defence mechanisms arepossible?

Screening visitors usingguards (who looksrespectable?)VVIP security, but do youwant to be isolated?

what is the Internet equivalent?



. . . . . .


.. Security Requirements

Informal statements (formal is much harder)

Confidentiality Protection from disclosure to unauthorized persons

Integrity Assurance that information has not been modifiedunauthorizedly.

Authentication Assurance of identity of originator of information.

Non-Repudiation Originator cannot deny sending the message.

Availability Not able to use system or communicate when desired.

Anonymity/Pseudonomity For applications like voting, instructorevaluation.

Traffic Analysis Should not even know who is communicating withwhom. Why?

Emerging Applications Online Voting, Auctions (more later)

And all this with postcards (IP datagrams)!िशवकुमार G. Sivakumar வ மா Computer Science and Engineering भारतीय ौ ोिगक सं थान मुंबई (IIT Bombay) [email protected]


. . . . . .


.. Exchanging Secrets

.Goal..

.

. ..

.

.

A and B to agree on a secret number. But, C can listen to all theirconversation.

.Solution?.... ..

.

.

A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.



. . . . . .


.. Mutual Authentication

.Goal..

.

. ..

.

.

A and B to verify that both know the same secret number. Nothird party (intruder or umpire!)

.Solution?.... ..

.

.

A tells B: I’ll tell you first 2 digits, you tell me the last two...



. . . . . .


.. Cryptography and Data Security

sine qua non [without this nothing :-]

Historically who used first? (L & M)

Code Language in joint families!



. . . . . .


.. Symmetric/Private-Key Algorithms



. . . . . .


.. Asymmetric/Public-Key Algorithms

Keys are duals (lock with one, unlock with other)

Cannot infer one from other easily

How to encrypt? How to sign?



. . . . . .


.. One way Functions

Mathematical Equivalents

Factoring large numbers (product of 2 large primes)

Discrete Logarithms



. . . . . .


.. Security Mechanisms

System Security: “Nothing bad happens to my computersand equipment”virus, trojan-horse, logic/time-bombs, ...

Network Security:Authentication Mechanisms “you are who you say you are”Access Control Firewalls, Proxies “who can do what”

Data Security: “for your eyes only”

Encryption, Digests, Signatures, ...



. . . . . .


.. Network Security Mechanism Layers

.

.

. ..

.

.

Cryptograhphic Protocols underly all security mechanisms. RealChallenge to design good ones for key establishment, mutualauthentication etc.



. . . . . .


.. Forensics



. . . . . .


.. References

Books

TCP/IP Illustrated by Richard Stevens, Vols 1-3,Addison-Wesley.Applied Cryptography - Protocols, Algorithms, and SourceCode in C by Bruce Schneier, Jon Wiley & Sons, Inc. 1996Cryptography and Network Security: Principles and Practiceby William Stallings (2nd Edition), Prentice Hall Press; 1998.Practical Unix and Internet Security, Simson Garfinkel andGene Spafford, O’Reilly and Associates, ISBN 1-56592-148-8.

Web sites

www.cerias.purdue.edu (Centre for Education and Research inInformation Assurance and Security)www.sans.org (System Administration, Audit, NetworkSecurity)cve.mitre.org (Common Vulnerabilities and Exposures)csrc.nist.gov (Computer Security Resources Clearinghouse)www.vtcif.telstra.com.au/info/security.htmlिशवकुमार G. Sivakumar வ மா Computer Science and Engineering भारतीय ौ ोिगक सं थान मुंबई (IIT Bombay) [email protected]


cyber crime and internet security - cse, iit bombaysiva/talks/ips07.pdfcyber crime and internet...

Documents