You are on page 1of 60

Michael Liu

University of Waterloo

There are three major sources for these slides:


Chapter 01 lecture slides, Cryptography and
Network Security, 4th edition, Stallings
From the textbook written by Laudon, Laudon and
Brabston (2009). Management Information Systems:
Managing the Digital Firm, Fourth Canadian Edition,
Toronto, Pearson Prentice Hall, 2009 Pearson
Education Canada
From the lectures developed by Dr. Anne Pidduck

Textbook Chapter 08

Common cyber threats


Definition of computer security
6 categories of security services
Implementations of security services
Security policy and security audit

Image Source: https://www.livehacking.com/2011/09/08/cybercrime-bigger-thanglobal-black-market-in-marijuana-cocaine-and-heroin-combined/


5

Juliet

Romeo

Contemporary Security
Challenges and Vulnerabilities

The architecture of a Web-based application typically includes a Web client, a server, and corporate
information systems linked to databases. Each of these components presents security challenges and
vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at any point
in the network.

Figure 8-1

Image Source: http://savejasonsmom.org/wp-content/uploads/2011/02/question_mark.jpg

Computer virus: a rogue software programs that


attached to other programs in order to be executed,
Can automatically copy itself from files to files
Can harm data, programs, machines, the network or its
performance; or open backdoor to hacker

Worm: programs with ill intent that can copy


themselves from one computer to another over
networks by exploiting security vulnerabilities
Can cause the same damage as virus

Trojan horse: a software program that appears to


be benign, but then does something unexpected
Can cause the same damage as virus
Cannot replicate

Image Source: http://www.aakashjain.com/wp-content/uploads/2009/04/cyber-threat.jpg


http://computerworm.net/2011/07/14/all-you-need-to-know-about-a-computer-worm/
http://www.systemdiary.com/a-new-type-of-trojan-horse-attacks-europe/

Spoofing: masquerading as someone else to trick


users to reveal their information

Phishing (e-mail spoofing): sending email or text messages


that look legitimate, and using them to ask for confidential
data
Pharming (web spoofing): Redirects users to a bogus web
site
Evil twins: rogue WiFi access point

Sniffing: an eavesdropping program that monitors


information travelling over a network
Denial of Service (DoS) Attacks or Distributed DoS
(DDoS): Hackers flood a server with false
communications in order to crash the system

Gain control many zombie computers to form a botnet to


perform the attack

10

FBI
UPS
Order
11

Please click the following link to verify


your information: http://www.ebay.com/

For more information:


http://www.microsoft.com/security/onlineprivacy/phishing-symptoms.aspx
http://ecommercewonderland.blogspot.com/2009/06/phis
hing-examples-and-its-prevention.html
http://www.oxfordadvancedlearnersdictionary.com/d
ictionary/spam

Image Source: http://e-commercewonderland.blogspot.com/2009/06/phishing-examples-and-its-prevention.html

12

Return-Path: hacker@example.ca

This is what address you will send an email to should you "Reply" to an email sent to you
From: TD Customer Service <customer-support@tdcanadatrust.com>
To: to-be-hacked@user.ca
Subject: TD Customer Service Account Update
Date: Thursday, 06 Oct 2011 13:27:26 +0300
Importance: high

This tells your email client what to display in the browser


MIME-Version: 1.0 Content-Type: multipart/alternative;

This tells what kind of text the email contains, and whether or not it is plain text, HTML
formatted, or another format
Content:
Dear Customer,
We are currently upgrading our system. Please click the following link, log into your
account and verify your information.
http://easyweb.td.com/

Sincerely,
TD Customer Support Group

13

In Spring 2012, two math students got coop


offers in New City York. They found a very
good apartment.
They were taking CS 330 at that time and
found the e-mail sent by the landlord a bit
fishy.
They asked me whether it was phishing.
What do you think?

Acknowledgment: special thanks to Martin, the student


who gave me permission to use this e-mail for teaching
purpose
14

Image Source: http://en.wikipedia.org/wiki/Botnet

15

16

On Oct 5, 2012, Hotmail shut down all


communications with UW e-mail servers

All e-mails between Hotmail accounts and UW


accounts are rejected

What happened

Some hacker got control of several hundred UW email accounts and used them to sent mass e-mails
to Hotmail, presumably attempting to crash it.
Hotmail identified the problem (all e-mails from UW
server) and as the only means of defense, rejected
all e-mails from UW accounts
Denial of service to all UW users.

17

The successful takedown of the Rustock


botnet cut the volume of spam across the
world by one-third, according to Symantec's
March 2011 MessageLabs Intelligence Report.
The largest botnet that has been found and
removed so far is a botnet controlling over
12M computers
It has been estimated that up to one quarter
of all personal computers connected to the
internet may be part of a botnet.
18

Click Fraud: Bogus clicks to drive up pay-per-clicks

the
Webofficial
click robot
@AP,
twitter handle of the respected Associated Press news

http://en.wikipedia.org/wiki/Click_fraud
agency, sent out a message at about 1:07 p.m. ET, saying "Breaking: Two
Cyberterrorism
Cyberwarfare:
Exploitation
Explosions
in the Whiteand
House
and Barack Obama
is Injured." of
The AP
computer
systems
quickly
said it was
hacked. by terrorists or political parties as a

mean of warfare

Killplunged
switch bill
The Dow
more than 140 points and bond yields fell. Within six
Adware
is any
software
package
which
automatically
minutes,
the Dow
recovered
its losses
and was
trading
with triple-digit
downloads,
displays,
or plays
advertisements
to ain the S&P
gains.
Reuters estimated
that the
temporary
loss of market cap
without
500computer,
alone totaledoften
$136.5
billion. users permission and in the

form of pop-up
Spyware
is software that (secretly) installs on a users
Source:
http://www.cnbc.com/id/100646197
machine and collects information about the user without
their knowledge.
Keylogger is a form of spyware
Germanys probe into state use of spyware on people.

19

Replay attack
A valid data transmission is maliciously repeated at
a later time.

Salami attack
How to add smalls into large

Image Source: http://www.winspark.net/tag/security/

20

E-mail spam, also known as junk e-mail is a subset


of spam that sends nearly identical messages to
numerous recipients by e-mail, often for
advertisement.
Definitions of spam usually include the aspects that e-mail
is unsolicited, for business purpose and sent in bulk.

All of the above software with malicious intent can


be collectively called malware.
For a better definition of hacker, please refer to
http://en.wikipedia.org/wiki/Hacker
http://www.faqs.org/docs/artu/hackers.html
http://www.campusactivism.org/htmlresource/hackers/section4.html

21

The Spam Problem

Figure 4-8
22

Spam Filtering Software

Figure 4-7
23

Definition:

Policies, procedures and technical measures used to


prevent unauthorized access, alteration, theft,
interruption or physical damage to information
systems

24

My system is secure because it is protected


by ID and password
My communication is secure because it is
encrypted.
Is that really so?

25

A user wants to access an online ordering


web site. Need to make sure that:

The user is legit


Restrict his access to certain part of the system
His conversation cannot be overheard by others
His data cannot be modified by others
He can place an order if so desired
He keeps his words after placing the order

Image source: http://activerain.com/blogsview/1860583/is-opportunity-knocking-at-your-door-

26

Authentication

assurance that the communicating entity


is the one claimed

Access Control

prevention of the unauthorized use of a


resource

Data Confidentiality

Data Integrity
Availability
Non-Repudiation

protection of data from unauthorized


disclosure
assurance that data received is as sent by
an authorized entity
assurance that services are available when
needed

protection against denial by one of the


parties in a communication
27

Two possibilities:
Sender denied sending
Receiver denied receiving

28

E-mail: I am going to buy


one million liters of gas from
you at $1 per liter in 3 days

3 days passed. If the gas price is $1.2 per


liter, who is likely to default?
3 days passed. If the gas price is $0.8 per
liter, who is likely to default?

29

Authentication, Access Control, Data


Confidentiality, Data Integrity, Availability,
Non-repudiation
Captain
the Black
Pearl
Captain Jack
Jack Sparrow
Sparrow redecorates
wants to auction
off the
Black
The
Captain
Smurfs
Jack
e-mail
Sparrow
Captain
wants
Jack
to
make
Sparrow
an
and
offer
1
and
wants
to
open
it
to
the
public
for
sightseeing.
Pearl on eBay but he is not sure the web site that he
billion
announcement
dollars
tothat
buyhe
the
sold
Black
his$100,
Pearl.
ship and
Jack
officially
thinks
He
for
tourist
can
logssets
intoup
is some
in factrules
eBay.that
Which
of the afollowing
this
retires
is
afrom
super
piracy.
sweet
What
deal
security
butahe
isservice
afraid
can
that
be
the
visit
the
first
deck;
for
$200,
tourist
can
visit
security services could be implemented to easethe
his
Smurfs
used
to
might
ensure
back
the
public
down
from
the
message
this
deal.
is
What
genuine?
second
anxiety?deck; $300 for the third deck etc. Which of
security
service
can beservices
used to can
prevent
the Smurfs
the following
security
be implemented
from
denying
they
send the e-mail?
to enforce
these
rules?

30

Firewall
Provide authentication and access control
Example: packet filtering firewall, proxy firewall

Antivirus software
Provide data and system integrity, access control
Example: Norton, Trend Micro, AVG etc.

Hardware Controls
Provide authentication, access control, availability
Example: dedicated hardware, smartcard, fingerprint scan,
retina scan, VPN dongle, backup etc

Security software
Service provided depends on type of security software used
(authentication, confidentiality, integrity, access control etc.)

User awareness
Core of any implementation
31

2010, based on 30 million compromised


passwords:
123456, 123456789, password, iloveyou

In 2011
http://www.theglobeandmail.com/news/technology
/tech-news/top-25-most-hacked-passwordsrevealed/article2244739/

In 2013
http://newsfeed.time.com/2014/01/20/the-25worst-passwords-of-2013/

32

A device/program that monitors and controls


incoming and outgoing data transmissions to
protect company network from unauthorized
access.
Allow authorized communication and deny
unauthorized access
Often placed between the company network and
external network like the Internet

Can be implemented using software or


hardware. Sometimes it is built into the
network modem/switch/hub/OS

Image Source: http://tadp.wdfiles.com/local--files/clase-5/firewall.gif

33

It is used to detect, prevent, and remove malware

How does it work?

Including but not limited to computer viruses, computer worm,


Trojan horses, spyware and adware.
Based on virus signature database
Based on heuristics
Only effective against known threats

Reactive approach
Need to update frequently and backup data

Proper set up

Temp directory and Internet temp directory


Registry
Internet setting and system files
Access scan
E-mail scan
Inconvenient side-effect

34

It is the study of encryption render a


message unreadable based on a key
Foundation of many security services mentioned above

The strength of an encryption depends on the


size of the key
Longer the key used, harder to guess what the message is
about
Analogy: longer the password, harder to guess it
meet me after
the toga party

Transformation
based on a key

PHHW PH DIWHU
WKH WRJD SDUWB

35

Always possible to simply try every key to guess


the actual key used in an encryption
Difficulty is proportional to key size

Key Size
(bits)

Number of
Alternative Keys

Time required at
106 Decryption/s

32

232 = 4.3 x 109

2.15 milliseconds

56

256 = 7.2 x 1016

10 hours

128

2128 = 3.4 x 1038

5.4 x 1018 years

168

2168 = 3.7 x 1050

5.9 x 1030 years

What is secure is relative to the computation


power we have now
This is called computationally secure: a
system/message is computationally secure if it will
take the attacker very a long time to crack the
system/message even he is using the best existing
technologies and tools
Implication of Moores Law

Computer security needs constant upgrade

Image Source: http://blog.commtouch.com/cafe/wp-content/uploads/What-is-security-2.jpg

37

Romeo

38

Symmetric key encryption: the same key is used to


encrypt and decrypt the data
This is what people usually refer to as encryption
Protect secrecy
Examples: DES, Triple DES, AES, RC4/5, WEP

Public key encryption: use a pair of keys (one called


public key and one called private key). One key
used for encrypt and other is used to decrypt it
Thought it can be used to protect secrecy, it is often used
to generate digital signature
Example: PKI, RSA

Image Source: http://techliberation.com/wp-content/uploads/2011/01/encryption.jpg

39

Protect data authenticity and integrity, and nonrepudiation


A digital signature is a unique mathematical value for a
digital message or document. A valid digital signature gives
a recipient reason to believe that the message was created
by a known sender, and that it was not altered in transit.

Senders private key is used to sign the document


and its public key is used to verify the signature
Only the sender can
sign as his private key
is private
Easy to verify as his
public key is public
Signed text

Image Source: https://tspace.library.utoronto.ca/html/1807/4637/jmir_v4i2e12_fig2.jpg

40

MD5
http://www.whatsmyip.org/hash_generator/

SHA1
http://www.tech-faq.com/sha-1-generator
http://nsfsecurity.pr.erau.edu/crypto/sha1.html

Interesting tools
http://www.whatsmyip.org/

41

It bears the digital signature of certain


certificate authority whose identify is built
into the operating system/web browser
The OS can verity the legitimacy of the digital
signature, hence the legitimacy of the certificate,
and hence the identify of the certificate holder
The certificate also contains the public key of the
certificate holder

https and SSL


Secure protocols over
the Internet, based on
certificate.

42

eBay first creates a pair of keys, one public key and one private key
It then submits the public key to VeriSign to get a certificate
The certificate contains information about eBay and its public key
VeriSign is the biggest certificate authority

When Romeo contacts eBay to sign up for an account, eBay presents


its certificate to his web browser.
The process to verify a certificate is built into the browser.

The browser verifies that the certificate is valid and it belongs to


eBay
This step proves that Romeo is indeed in contact with eBay, not an impersonator

The browser then extracts eBays public key from the certificate.
It then randomly generates a symmetric key and encrypts it using
eBays public key and sends it back to eBay.
Since it is encrypted with eBays public key, it can be decrypted only by eBays private
key.

eBay then decrypts the systematic key with its private key.
Now Romeo and eBay shares a symmetric key and all subsequent
conversation can be encrypted using this symmetric key.

43

The HR manager received the following appraisal report one day:


Bob Smith, my assistant programmer, can always be found
hard at work at his desk. He works independently, without
wasting company time talking to colleagues. Bob never
thinks twice about assisting fellow employees, and always
finishes given assignments on time. Often he takes extended
measures to complete his work, sometimes skipping coffee
breaks. Bob is a dedicated individual who has absolutely no
vanity in spite of his high accomplishments and profound
knowledge in his field. I firmly believe that Bob can be
classed as an asset employee, the type which cannot be
dispensed with. Consequently, I duly recommend that Bob be
promoted to executive management, and a proposal will be
executed as soon as possible.

44

An alternative to encryption for secrecy


Hides existence of message
Using only a subset of letters/words in a longer
message marked in some way
Hiding data in graphic image or sound file
Using invisible ink

Drawbacks
High overhead to hide relatively few info bits
Become useless once comprised

45

Hiding message in picture using WinRAR:


http://www.marcofolio.net/how_to/hide_files_in_jpg_files.html
http://www.online-tech-tips.com/computer-tips/hide-file-inpicture/
46

These programs are available for test purposes only.


Please send me any useful comments for improvements.
In particular if you discover ways to detect the presence of the hidden
data (even if you can't extract it) I would like to hear about it. This
excludes the case where both the original and the modified jpeg are
available (in which case it is a trivial task!)
Remember they are FREE and BETA test versions. They may not work as
you expect. I offer no warranty and accept to liability for their use.
They are incompatible with earlier versions of similar products I have
written.
JPHIDE.EXE is a DOS program to hide a data file in a jpeg file.
JPSEEK.EXE is a DOS program to recover a file hidden with JPHIDE.EXE
JPHSWIN.EXE is a Windows-95 program which performs the same functions as
the two programs above.
The programs are free standing and require no special installation.
Allan Latham <alatham@flexsys-group.com> 7th January 1999.

47

48

The risks to users of wireless technology have


increased as the service has become more
popular
Wireless transmission is broadcasted over the air.
Anyone with the right equipment can intercept the signal
Wireless transmission by default is NOT encrypted!
Wardriving

Common solutions
Encrypt the transmission!
WEP (not recommended), WPA1 and WPA2

Smart card and USB token


Use wired network for highly sensitive communication

Image source: http://en.wikipedia.org/wiki/Wardriving

49

Commercial software contains flaws that create


security vulnerabilities
Hidden bugs (program code defects)
Zero defects cannot be achieved because complete testing is
not technically or economically possible with large programs

Flaws can open networks to intruders

Patches
Vendors release small pieces of software to repair flaws
However, the amount of software in use can mean
exploits created faster than patches be released and
implemented

50

Inadequate security and control results in loss


of business and may create serious legal
liability
Businesses must protect not only their own
information assets but also those of customers,
employees, and business partners. Failure to do so
can lead to costly litigation for data exposure or
theft

A sound security and control framework that


protects business information assets can thus
produce a high return on investment
51

CSOX: Canadian Rules for Sarbanes-Oxley


Act, Bill 198

Called SOX in US
Internal controls must be put in place to govern
information in financial statements

ERM: Electronic Records Management

Managing the retention, storage and destruction of


electronic records

These controls can be realized by the security


services and their implementations
introduced earlier

52

Determine level of risk to the firm in the


case of improper controls
Type of risk
Probability of occurrence
Damage

Image Source: http://www.scienceinthebox.com/en_UK/safety/riskassessment_en.html

53

How much are you wiling to


spend on security?

54

Acceptable Use Policy (AUP)


Acceptable uses and users of information and
computers
Example

Authorization Policies
Determine the levels of access for different users
Often based on security profiles

Business continuity plan


Technical measures used to enforce the
policies

55

Security Profiles for a


Personnel System

Figure 8-4
56

Getting the business up and running after a


disaster
Safeguarding people as well as machines

Business measures:

Documenting business processes


Not relying on people who may be unavailable

Drill and training

Technical measures:

High-availability computer systems help firms recover


quickly from a crash
Fault-tolerant computer systems promise continuous
availability and eliminate recovery time altogether
Often use a backup system

57

A comprehensive assessment of a companys


computer security policies, procedures and
technical measures
Penetration test: simulated attack
Video Source:
http://video.google.com/videoplay?docid=5642547
759793319840#

Risk assessment is done before security


implementation while auditing is after its
implementation and should be done from
time to time
58

Auditors List of Weaknesses

Figure 8-5
59

Users lack of knowledge or human ignorance is


the single greatest cause of computer security
breaches!
Social engineering is the act of manipulating people into
performing actions or divulging confidential information,
rather than by breaking in or using technical cracking
techniques.
Passwords revealed by sweet deal

Image Source: http://truthaboutlaserhairremoval.com/wp-content/uploads/2010/10/scam-alert-large1-e1288206782821.jpg

60

You might also like