overview of information security
TRANSCRIPT
Password AttacksThe bad guy could try to guess your password on a site• Try to log in again and again• Works if the password is common, e.g. "password"
"password123"• Also known as "dictionary attack", try all the words in a dictionary• This fails mostly, but success here and there with an account with a
poor password is good enough for the bad guys• Therefore: avoid having an obvious or commonly used password• -a word in a dictionary• -a pun or something that someone else might also use
Bad Passwords Do not need to be super elaborate (some sites go crazy with this) List of common
passwords - do not use these!• -Common passwords-• password• password1• 123456789• 12345678• 1234567890• abc123• computer• tigger• 1234• qwerty• Avoid a password that thousands of others out there have also chosen
Good Passwords• What I do for secure passwords, e.g a bank site• Start with a word, add misspelling, then add some random letters• Could add some digits and/or punctuation and maybe some upper case letters• mottens,erx -- fine• Mottens,9erx -- better• MotenX,97erx -- probably more complex than necessary• Important that the "erx" is truly nonsense, not like "xyz" that someone else on earth
might tend to pick.• Other problem: what if the site itself is compromised, so the bad-guy possibly gets your
password that way? Therefore, do not re-use your passwords across important sites like banks.
• Consider writing down important passwords on a slip of paper at home. Otherwise it's hard to keep it all straight in your head.
Phishing Attacks "Phishing", i.e. the bad guy is "fishing" for you Bad guy tricks you into exposing your password or whatever No doubt you have received many phishing emails e.g. -- phishing email, points at bad guy site, not real eBay site Email might say something provocative - "fraud alert, click immediately" When I type in password to either of these .. it goes to the bad guy Arrow is over first link, see url at bottom of email Note: not related to an actual transaction or account .. bad guys just spew these out, hoping to fool
someone Alternately could have a phishing web site that imitates the real eBay site Bad guys emails out or in some other way distributes the url to phishing site Bad guys want passwords for sites that have something to do with money
Fake ATM Machine -- Real World Analogy
• Funny "phishing" crime in real life• Fake ATM in front of bank .. prints error message, but records
card details and PIN for bad guy
Avoiding Phishing• Don't trust urls in emails or random sites, especially when leading to a
login page• a. Scrutinize the url as shown in your browser or email program• -Bad guy url will try to look legit, like www.ebay.bad-guy.ru• b. (more secure) Type the url in yourself -- if it claims to be from ebay,
type in www.ebay.com yourself in your browser. • Firefox etc. can do extra green hilighting of "real" site• -e.g. www.schwab.com (demo)• Look for https in the url (below)
HTTPS• HTTPS - "secure" variant of HTTP to transfer the bytes of a web
page over the internet• Does two things:• a. HTTPS verifies the other end, so it really is www.schwab.com
or whatever• -Helps with anti-phish, but the user still needs to look at the url• -Checking that it's www.schwab.com not www.schwarb.bad-
guy.ru• b. HTTPS encrypts all the traffic, so interception of the bytes does
not work
Malware AttacksHow Do I Feel About This File?
• Suppose a bad guy emails you the following sort of file:• A plain .TXT file, which you open and read on your computer• A .JPG file, which you then open and look at on your computer• A program .EXE file -- a program -- which you copy on to your computer
and run (.EXE is just a windows convention, but I'll use it here to indicate a program)
• A .DOC file which you then open and read on your computer
Passive Content = Safe, Program = Unsafe• If the bad guy gets you to run bad guy authored code on your computer, the computer is
compromised, the bad guy wins• The code can take actions and it's inside the computer• Key: if bad guy authored code is downloaded to the computer and runs .. the bad guys has won• Variations below will all center on this downloaded ".EXE" case• So we trust passive content (.TXT .JPG) but not active programs (.DOC .EXE).• Unfortunately, many seemingly passive formats, such as .DOC, can have "program" type
qualities in them as an advanced feature• e.g. .DOC can be unsafe because of Microsoft Visual Basic macros embedded ... this used to be
a huge source of problems (search for "macro virus")• "Malware" - generic term for program that does something bad
Malware 1 - Trojan• Trojan is malware disguised as something else• So the user downloads it or accesses it, not aware that it will do something bad• e.g. JustinBieberJPEG.exe• e.g. SuperAntiVirus.exe -- this is actually a common Trojan ruse!• Try to make it look like harmless content, not a program• Claim to be a program that does something many people want, but really it's malware• Operating systems may have helpful warning "this is a program you downloaded, do you want
to run it?"• Therefore:• Don't run programs from random sources (google it first, see what people say)• If something is from a well known domain and has lots of downloads, I figure someone would
have flagged it if it was malware
Malware 2 - Vulnerability• Suppose there is a bug in the Flash animation display program• When fed certain pathologic animation bytes, the program breaks and gives access to the
machine• So the bad guy puts a malicious Flash animation, and then sends links to it on sites or in
spam• Just visiting the page with the bad content is enough to compromise the machine if it is
vulnerable• This is probably the most scary case, as the user does very little• Solution:• Keep web-facing software up to date• All browsers now have strong auto-update channels, so by default the right thing tends to
happen• Aside: this is also why having a proprietary format like Flash be a key part of the internet is
maybe not a good architecture. People were very dependent on Adobe to fix the software very quickly, and Adobe's record was very uneven.
Virus• A computer virus is a malware program that, when executed, replicates by inserting
copies of itself (possibly modified) into other computer programs, data files, or the boot sector of the hard drive; when this replication succeeds, the affected areas are then said to be "infected".
• Viruses often perform some type of harmful activity on infected hosts, such as stealing hard disk space or CPU time, accessing private information, corrupting data, displaying political or humorous messages on the user's screen, spamming their contacts, or logging their keystrokes. However, not all viruses carry a destructive payload or attempt to hide themselves—the defining characteristic of viruses is that they are self-replicating computer programs which install themselves without the user's consent.
• Virus writers use social engineering and exploit detailed knowledge of security vulnerabilities to gain access to their hosts' computing resources. The vast majority of viruses target systems running Microsoft Windows, employing a variety of mechanisms to infect new hosts, and often using complex anti-detection/stealth strategies to evade antivirus software.
Firewall• a firewall is a network security system that controls the incoming
and outgoing network traffic based on applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is not assumed to be secure and trusted. Firewalls exist both as a software solution and as a hardware appliance.
• Many personal computer operating systems include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components and, conversely, many firewalls can perform basic routing functions.