william stallings, cryptography and network security 5/eaphrdi...access to the system, but also a...
TRANSCRIPT
By P.Raveendra Babu
Asst.Professor
CSE Department
V R Siddhartha Engineering College Vijayawada
3
Mobility FactsOn an Average People check their phones 150 times a day – That’s
once every 6.5 minutes
More than 1.5 million Apps are available in the App store, Google
Play, Windows store and Blackberry App world
On an Average each Smartphone user runs 41 Apps
Every day, more Android phones are activated than babies born
Expected to grow to 20 Million by 2020
Smartphones are
redefining customer service into 24x7 anytime anywhere
contextual interactions
2.
The three big mobility trends
Tablets are
liberating IT from the desktop1.
Tablets are the new battleground for
attracting and
retainingprofitable customer segments
3.
World-wide Smartphone SalesA Whopping 60% growth on Smart devices sales
In 2006, Android, iOS, Windows Phone and Bada did not exist and just 64 million smartphones were sold
Of the World’s 4 Billion phones 1.08 Billion are smart phones
2006
2013
88
Future Networks – Internet of Things
Opportunities
9Source: http://blog.trentonsystems.com/internet-of-things-crosses-business-personal-boundaries/
10 10
“Things” connected to the Internet
Image Courtesy: : CISCO
Why cyber space is at risk?
Defending is difficult Risk v/s convenience Increasing complexity Security was never a part
of Internet Varied threats and threat
actors
Attacking is easy Attacker’s anonymity Attribution challenges Inconsistent laws Proximity no longer a
requirement
Cyber space is getting target-rich Increasingly valuable Increasingly online Increasing dependency Technical convergence
Contents Password
Security threats to passwords
Best practices to create password
Handling passwords
Real time examples
E-mail attacks
Password Password is the most common method for users to authenticate themselves when entering
computer systems or websites. It acts as the first line of defence against unauthorized access,
and it is therefore critical to maintain the effectiveness of this line of defence by rigorously
practising a good password management policy
SECURITY THREATS TO PASSWORDS
The following are common security risks where a legitimate user may lose his or her
password:
Over the shoulder attack: when a person types in his or her password, someone
might be able to observe what is typed and hence steal the password by looking over
the person‟s shoulder, or by indirect monitoring using a camera.
Brute-force attack: because a password has a finite length, usually 8 alphanumeric
characters, an attacker can use programs that automatically Password Management
Page 4 of 18 generate passwords, trying all possible combinations until a valid
password is found. With recent advances in computing power, the time needed to
execute a successful brute fore attack has dropped considerably.
Continue… Sniffing attack: when a password is sent over a network, it could be captured by
network sniffing tools if the network channel is not properly encrypted. In addition,
certain malicious tools (such as a keylogger) might be able to capture a user‟s
password when the password is typed in during the authentication process.
Login spoofing attack: this is where an attacker sets up a fake login screen that is
similar in look-and-feel to the real login screen. When a user logins to the fake
screen, his password will be recorded or transmitted to the attacker
Dictionary Attack: A hacker uses a program or script to try to login by cycling
through combinations of common words.
Key Logger Attack: A hacker uses a program to track all of a user’s keystrokes. So
at the end of the day, everything the user has typed—including their login IDs and
passwords—have been recorded. Key logger attacks are also different because
stronger passwords don’t provide much protection against them, which is one reason
that multi-factor authentication (MFA) is becoming a must-have for all businesses
and organizations.
With two-factor authentication (also called multi-factor authentication, 2FA, and
advanced authentication), a user is required to not only provide a password to gain
access to the system, but also a another security “factor,” like a unique one-time
access code generated from a token device or secure mobile app on their
Smartphone. A network protected by MFA is nearly impenetrable to an outside
attack; even if a hacker is able to attain a system password, he won’t be able to
provide the needed second security factor.
BEST PRACTICES
Examples of Bad Passwords that can be easily guessed or cracked using password crackers freely available on the Internet
"password" - the most easily guessed password
"administrator" - a login name
"Cisco" - a vendor's name
"peter chan" - a person‟s name
"aaaaaaaa" - repeating the same letter
"abcdefgh" - consecutive letters
"23456789" - consecutive numbers
"qwertyui" - adjacent keys on the keyboard
"computer" - a dictionary word
"computer12" - simple variation of a dictionary word
"c0mput3r" - simple variation of a dictionary word with „o‟ substituted by „0‟ and „e‟ substituted by „3‟
Simple rules to create a password:DON’Ts
Do not use your login name in any form (as-is, reversed, capitalised, doubled, etc).
Do not use your first, middle or last name in any form.
Do not use your spouse‟s or child‟s name.
Do not use other information easily obtained about you. This includes ID card numbers, license numbers, telephone numbers, birth dates, the name of the street you live on, and so on.
Do not use a password that contains all digits, or all the same letters. Do not use consecutive letters or numbers like "abcdefgh" or "23456789".
Do not use adjacent keys on the keyboard like "qwertyui".
Do not use a word that can be found in an English or foreign language dictionary.
Do not use a word in reverse that can be found in an English or foreign language dictionary.
Do not use a well-known abbreviation e.g. HKSAR, HKMA, MTR.
Continue… Do not reuse recently used passwords.
Do not use the same password for everything; have one password for non-critical
activities and another for sensitive or critical activities.
DO’s
1. Use a password with a mix of at least six mixed-case alphabetic characters,
numerals and special characters.
2.Use a password that is difficult to guess but easy for you to remember, so you do
not have to write it down.
3. Use a password that you can type quickly, without having to look at the
keyboard, thereby preventing passers-by seeing what you are typing
HANDLING PASSWORDS
DON’Ts
Do not write down your password, particularly anywhere near your computer or file
it in a box file with the word „password‟ written on it.
Do not tell or give out your passwords to other people, even for a very good reason.
Do not display your password on the monitor.
Do not send your password unencrypted, especially via email.
Avoid using the “remember your password” feature associated with some websites,
and disable this feature in your browser software.
Do not store your password on any media unless it is protected from unauthorised
access (e.g. encrypted with an approved encryption method).
Continue..DO’s
1. Change your password frequently, at least every 90 days.
2. Change the default or initial password the first time you login.
3. Change your password immediately if you believe that it has been compromised.
Once done, notify the system/security administrator for follow up action
Washing Machine
22
• 3 years Guarantee• Fully automatic• At the time of purchase
data fed in to the computer
• Damaged exactly after 1098 days…
• Analysis of chip-----• Logic Bomb
Embedded Forensics
23
December 2012: a vulnerability in SamsungSmart TVs that allows an intruder to takecontrol of the devices that are connected to thesame network.
November 2013: LG's Smart TVs are sendingpersonal information back to the company'sservers about what channels you watch andviewing habits.
July 2013: Another vulnerability allowedhackers to remotely crash Samsung Smart TVwithout doing much efforts
24
Taiwan Government
Motion sensor
Motion sensor
Motion sensor
ECG sensor
Internet
People Connecting to Things
25
What happens?
Motion sensor
Motion sensor
Motion sensor
ECG sensor
Internet
Safest computer on Earth?
Operation Quantum:
The devices can be secretly installed in the computers when they are manufactured.
27
WHERE WE ARE---- DO YOU KNOW WHAT THE OS/ APPLICATION PACKAGE DOING
BEHIND ?
CAN YOU BELIEVE YOUR ROUTER ?
US Govt identified flaws in equipment from fourcompanies including CISCO SYSTEMS which HACKERS canexploit to break into computer networks (3 December2009).
14 trapdoors were identified in most popular operatingsystem.
SUSPICIOUS ROUTER
USERS
Internet Switch
Internet
Radius Server
Internet
Monitoring
Personnel
ENEMY
COUNTRY
ZTE & Huawei A future nightmare scenario could be disabling of trains,
financial networks and water supply in combination witha physical attack. “The collective result could be a cyber-Pearl Harbour, an attack that would cause physicaldestruction and loss of life…and create a profound newsense of vulnerability - Defense Secretary, USA LeonPanetta.
China said to have a 30,000-strong cyber army withanother 150,000 hackers who serve as a support group.
Russia is said to have 7,000 cyber warriors.
WHERE WE ARE---- IS THE ANTI- SPYWARE YOU PURCHASED IS A
SPYWARE or ANTI-SPYWARE.
Why certain SPYWARES are not detected even by thebest anti-spyware programs ?
WHO CAN DECRYPT YOUR ENCRYPTIONALGORITHIM ?
WHO KNOWS YOUR ATM PIN
GUERRILLA MAIL
32
Changing scenario (Crimes)
1st generation - Fraud
Production of fake currency, ---
2nd Generation - Fraud
Fake profiles, Morphed images, Phishing, Cyber squatting
Manipulation of software’s for gains, Stealing passwords
Recruitment frauds, online bookings
Team Viewer.
Cyber Defamation
PMO
CBI WEBSITE HACKED
37
DATA DIDLING INVOLVES ALTERING THE RAW DATA JUST BEFORE A COMPUTER
PROCESSES IT AND THEN CHANGING IT BACK AFTER
PROCESSING IS COMPLETED
SECONDARY STATE BOARD
PRIVATE STUDENTS TOPPED OVER GOVT STUDENTS 6 DIGIT ROLL NUMBER
GOVT STUDENTS STARTS WITH 3
PRIVATE STUDENTS STARTS WITH 4
SOFTWARE MANIPULATION
FOR ROLL_ NO 3 > 68 <= 100 DEDUCT 9
FOR ROLL_ NO 4 > 68 < 88 ADD 9
Mobile billing?
A few--
Manager of a Bank
Transferring Money from Savings bank dormant accounts to his account
Re-depositing after 15-30 days
GUESS ?
Phishing
Delhi high court address is'http://delhihighcourt.nic.in
while the phishing website addressis http://delhi.highcourt.in.
40
CASE OF ICICI BANK
[email protected] Asked to validate or conform their account details for
verification details User id’s, login password & transaction password
http://infinity.icicibank.co.in/verify.jsp ON CLICKING
TWO WINDOWS PRESS “ VERIFY TAB” , THE WEB PAGE TAKES YOU TO
http://icici.com WHICH REDIRECTS TO www.icicibank.com
URL http://all-about-notebooks.com/icici/verify.php
ICICI NEITHER OWNS NOR IN ANY CONNECTED WITH THE SAID URL
41
42
43