Michael Liu

University of Waterloo

1

There are three major sources for these slides: Chapter 01 lecture slides, “Cryptography and

Network Security”, 4th edition, Stallings

From the textbook written by Laudon, Laudon and Brabston (2009). Management Information Systems: Managing the Digital Firm, Fourth Canadian Edition, Toronto, Pearson Prentice Hall, © 2009 Pearson Education Canada

From the lectures developed by Dr. Anne Pidduck

2

Textbook Chapter 08

3

Common cyber threats

Definition of computer security

6 categories of security services

Implementations of security services

Security policy and security audit

4

5

Image Source: https://www.livehacking.com/2011/09/08/cybercrime-bigger-than-global-black-market-in-marijuana-cocaine-and-heroin-combined/

6

Juliet

Romeo

Contemporary Security Challenges and Vulnerabilities

Figure 8-1

The architecture of a Web-based application typically includes a Web client, a server, and corporate information systems linked to databases. Each of these components presents security challenges and vulnerabilities. Floods, fires, power failures, and other electrical problems can cause disruptions at any point in the network.

7

8 Image Source: http://savejasonsmom.org/wp-content/uploads/2011/02/question_mark.jpg

Computer virus: a rogue software programs that attached to other programs in order to be executed, ◦ Can automatically copy itself from files to files ◦ Can harm data, programs, machines, the network or its

performance; or open backdoor to hacker

Worm: programs with ill intent that can copy themselves from one computer to another over networks by exploiting security vulnerabilities ◦ Can cause the same damage as virus

Trojan horse: a software program that appears to be benign, but then does something unexpected ◦ Can cause the same damage as virus ◦ Cannot replicate

9

Image Source: http://www.aakashjain.com/wp-content/uploads/2009/04/cyber-threat.jpg http://computerworm.net/2011/07/14/all-you-need-to-know-about-a-computer-worm/ http://www.systemdiary.com/a-new-type-of-trojan-horse-attacks-europe/

Spoofing: masquerading as someone else to trick users to reveal their information ◦ Phishing (e-mail spoofing): sending email or text messages

that look legitimate, and using them to ask for confidential data

◦ Pharming (web spoofing): Redirects users to a bogus web site

◦ Evil twins: rogue WiFi access point

Sniffing: an eavesdropping program that monitors information travelling over a network

Denial of Service (DoS) Attacks or Distributed DoS (DDoS): Hackers flood a server with false communications in order to crash the system ◦ Gain control many zombie computers to form a botnet to

perform the attack

10

11

UPS

FBI

Order

For more information: http://www.microsoft.com/security/online-privacy/phishing-symptoms.aspx

http://e-commercewonderland.blogspot.com/2009/06/phishing-examples-and-its-prevention.html

12 Image Source: http://e-commercewonderland.blogspot.com/2009/06/phishing-examples-and-its-prevention.html

Please click the following link to verify your information: http://www.ebay.com/

http://www.oxfordadvancedlearnersdictionary.com/dictionary/spam

13

Return-Path: hacker@example.ca This is what address you will send an email to should you "Reply" to an email sent to you

From: TD Customer Service <customer-support@tdcanadatrust.com> To: to-be-hacked@user.ca Subject: TD Customer Service – Account Update Date: Thursday, 06 Oct 2011 13:27:26 +0300 Importance: high This tells your email client what to display in the browser

MIME-Version: 1.0 Content-Type: multipart/alternative; This tells what kind of text the email contains, and whether or not it is plain text, HTML formatted, or another format

Content:

Dear Customer,

We are currently upgrading our system. Please click the following link, log into your account and verify your information.

http://easyweb.td.com/

Sincerely,

TD Customer Support Group

In Spring 2012, two math students got coop offers in New City York. They found a very good apartment.

They were taking CS 330 at that time and found the e-mail sent by the landlord a bit fishy.

They asked me whether it was phishing.

What do you think?

14

Acknowledgment: special thanks to Martin, the student who gave me permission to use this e-mail for teaching purpose

15 Image Source: http://en.wikipedia.org/wiki/Botnet

16

On Oct 5, 2012, Hotmail shut down all communications with UW e-mail servers ◦ All e-mails between Hotmail accounts and UW

accounts are rejected

What happened ◦ Some hacker got control of several hundred UW e-

mail accounts and used them to sent mass e-mails to Hotmail, presumably attempting to crash it.

◦ Hotmail identified the problem (all e-mails from UW server) and as the only means of defense, rejected all e-mails from UW accounts Denial of service to all UW users.

17

The successful takedown of the Rustock botnet cut the volume of spam across the world by one-third, according to Symantec's March 2011 MessageLabs Intelligence Report.

The largest botnet that has been found and removed so far is a botnet controlling over 12M computers

It has been estimated that up to one quarter of all personal computers connected to the internet may be part of a botnet.

18

Click Fraud: Bogus clicks to drive up pay-per-clicks ◦ Web click robot ◦ http://en.wikipedia.org/wiki/Click_fraud

Cyberterrorism and Cyberwarfare: Exploitation of computer systems by terrorists or political parties as a mean of warfare ◦ Kill switch bill

Adware is any software package which automatically downloads, displays, or plays advertisements to a computer, often without user’s permission and in the form of pop-up

Spyware is software that (secretly) installs on a user’s machine and collects information about the user without their knowledge. ◦ Keylogger is a form of spyware ◦ Germany’s probe into state use of spyware on people.

19

@AP, the official twitter handle of the respected Associated Press news agency, sent out a message at about 1:07 p.m. ET, saying "Breaking: Two Explosions in the White House and Barack Obama is Injured." The AP quickly said it was hacked. The Dow plunged more than 140 points and bond yields fell. Within six minutes, the Dow recovered its losses and was trading with triple-digit gains. Reuters estimated that the temporary loss of market cap in the S&P 500 alone totaled $136.5 billion. Source: http://www.cnbc.com/id/100646197

@AP, the official twitter handle of the respected Associated Press news agency, sent out a message at about 1:07 p.m. ET, saying "Breaking: Two Explosions in the White House and Barack Obama is Injured." The AP quickly said it was hacked. The Dow plunged more than 140 points and bond yields fell. Within six minutes, the Dow recovered its losses and was trading with triple-digit gains. Reuters estimated that the temporary loss of market cap in the S&P 500 alone totaled $136.5 billion. Source: http://www.cnbc.com/id/100646197

Replay attack ◦ A valid data transmission is maliciously repeated at

a later time.

Salami attack ◦ How to add smalls into large

20 Image Source: http://www.winspark.net/tag/security/

E-mail spam, also known as junk e-mail is a subset of spam that sends nearly identical messages to numerous recipients by e-mail, often for advertisement. ◦ Definitions of spam usually include the aspects that e-mail

is unsolicited, for business purpose and sent in bulk.

All of the above software with malicious intent can be collectively called malware.

For a better definition of hacker, please refer to http://en.wikipedia.org/wiki/Hacker

http://www.faqs.org/docs/artu/hackers.html

http://www.campusactivism.org/html-resource/hackers/section4.html

21

The Spam Problem

Figure 4-8

22

Spam Filtering Software

Figure 4-7 23

Definition:

•Policies, procedures and technical measures used to

prevent unauthorized access, alteration, theft,

interruption or physical damage to information

systems

24

My system is secure because it is protected by ID and password

My communication is secure because it is encrypted.

Is that really so?

25

A user wants to access an online ordering web site. Need to make sure that: ◦ The user is legit

◦ Restrict his access to certain part of the system

◦ His conversation cannot be overheard by others

◦ His data cannot be modified by others

◦ He can place an order if so desired

◦ He keeps his words after placing the order

26 Image source: http://activerain.com/blogsview/1860583/is-opportunity-knocking-at-your-door-

27

• assurance that the communicating entity

is the one claimed Authentication

• prevention of the unauthorized use of a

resource Access Control

• protection of data from unauthorized

disclosure Data Confidentiality

• assurance that data received is as sent by

an authorized entity Data Integrity

•assurance that services are available when

needed Availability

• protection against denial by one of the

parties in a communication Non-Repudiation

Two possibilities: ◦ Sender denied sending

◦ Receiver denied receiving

28

3 days passed. If the gas price is $1.2 per liter, who is likely to default?

3 days passed. If the gas price is $0.8 per liter, who is likely to default?

29

E-mail: I am going to buy one million liters of gas from you at $1 per liter in 3 days

Authentication, Access Control, Data Confidentiality, Data Integrity, Availability, Non-repudiation

30

Captain Jack Sparrow redecorates the Black Pearl and wants to open it to the public for sightseeing. He sets up some rules that for $100, a tourist can visit the first deck; for $200, a tourist can visit the second deck; $300 for the third deck etc. Which of the following security services can be implemented to enforce these rules?

Captain Jack Sparrow wants to auction off the Black Pearl on eBay but he is not sure the web site that he logs into is in fact eBay. Which of the following security services could be implemented to ease his anxiety?

The Smurfs e-mail Captain Jack Sparrow and offer 1 billion dollars to buy the Black Pearl. Jack thinks this is a super sweet deal but he is afraid that the Smurfs might back down from this deal. What security service can be used to prevent the Smurfs from denying they send the e-mail?

Captain Jack Sparrow wants to make an announcement that he sold his ship and officially retires from piracy. What security service can be used to ensure the public the message is genuine?

Firewall

◦ Provide authentication and access control

◦ Example: packet filtering firewall, proxy firewall

Antivirus software

◦ Provide data and system integrity, access control

◦ Example: Norton, Trend Micro, AVG etc.

Hardware Controls

◦ Provide authentication, access control, availability

◦ Example: dedicated hardware, smartcard, fingerprint scan, retina scan, VPN dongle, backup etc

Security software

◦ Service provided depends on type of security software used (authentication, confidentiality, integrity, access control etc.)

User awareness

◦ Core of any implementation

31

2010, based on 30 million compromised passwords: ◦ 123456, 123456789, password, iloveyou

In 2011 … … ◦ http://www.theglobeandmail.com/news/technology

/tech-news/top-25-most-hacked-passwords-revealed/article2244739/

In 2013… … ◦ http://newsfeed.time.com/2014/01/20/the-25-

worst-passwords-of-2013/

32

A device/program that monitors and controls incoming and outgoing data transmissions to protect company network from unauthorized access. ◦ Allow authorized communication and deny

unauthorized access

◦ Often placed between the company network and external network like the Internet

Can be implemented using software or hardware. Sometimes it is built into the network modem/switch/hub/OS

33 Image Source: http://tadp.wdfiles.com/local--files/clase-5/firewall.gif

It is used to detect, prevent, and remove malware ◦ Including but not limited to computer viruses, computer worm,

Trojan horses, spyware and adware.

How does it work? ◦ Based on virus signature database ◦ Based on heuristics ◦ Only effective against known threats

Reactive approach Need to update frequently and backup data

Proper set up ◦ Temp directory and Internet temp directory ◦ Registry ◦ Internet setting and system files ◦ Access scan ◦ E-mail scan ◦ Inconvenient side-effect

34

It is the study of encryption – render a message unreadable based on a key ◦ Foundation of many security services mentioned above

The strength of an encryption depends on the size of the key ◦ Longer the key used, harder to guess what the message is

about

◦ Analogy: longer the password, harder to guess it

35

meet me after

the toga party

PHHW PH DIWHU

WKH WRJD SDUWB

Transformation based on a key

Always possible to simply try every key to guess the actual key used in an encryption

Difficulty is proportional to key size

Key Size (bits)

Number of Alternative Keys

Time required at 106 Decryption/µs

32 232 = 4.3 x 109 2.15 milliseconds

56 256 = 7.2 x 1016 10 hours

128 2128 = 3.4 x 1038 5.4 x 1018 years

168 2168 = 3.7 x 1050 5.9 x 1030 years

What is secure is relative to the computation power we have now ◦ This is called computationally secure: a

system/message is computationally secure if it will take the attacker very a “long time” to crack the system/message even he is using the best existing technologies and tools

◦ Implication of Moore’s Law

Computer security needs constant upgrade

37 Image Source: http://blog.commtouch.com/cafe/wp-content/uploads/What-is-security-2.jpg

38

Romeo

Symmetric key encryption: the same key is used to encrypt and decrypt the data ◦ This is what people usually refer to as “encryption”

◦ Protect secrecy

Examples: DES, Triple DES, AES, RC4/5, WEP

Public key encryption: use a pair of keys (one called public key and one called private key). One key used for encrypt and other is used to decrypt it ◦ Thought it can be used to protect secrecy, it is often used

to generate digital signature

◦ Example: PKI, RSA

39 Image Source: http://techliberation.com/wp-content/uploads/2011/01/encryption.jpg

Protect data authenticity and integrity, and non-repudiation ◦ A digital signature is a unique mathematical value for a

digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit.

Sender’s private key is used to sign the document and its public key is used to verify the signature

40 Image Source: https://tspace.library.utoronto.ca/html/1807/4637/jmir_v4i2e12_fig2.jpg

Signed text

Only the sender can sign as his private key is “private”

Easy to verify as his public key is “public”

MD5 ◦ http://www.whatsmyip.org/hash_generator/

SHA1 ◦ http://www.tech-faq.com/sha-1-generator

◦ http://nsfsecurity.pr.erau.edu/crypto/sha1.html

Interesting tools ◦ http://www.whatsmyip.org/

41

It bears the digital signature of certain certificate authority whose identify is built into the operating system/web browser ◦ The OS can verity the legitimacy of the digital

signature, hence the legitimacy of the certificate, and hence the identify of the certificate holder

◦ The certificate also contains the public key of the certificate holder

42

https and SSL Secure protocols over

the Internet, based on certificate.

eBay first creates a pair of keys, one public key and one private key

It then submits the public key to VeriSign to get a certificate ◦ The certificate contains information about eBay and its public key

◦ VeriSign is the biggest certificate authority

When Romeo contacts eBay to sign up for an account, eBay presents its certificate to his web browser. ◦ The process to verify a certificate is built into the browser.

The browser verifies that the certificate is valid and it belongs to eBay ◦ This step proves that Romeo is indeed in contact with eBay, not an impersonator

The browser then extracts eBay’s public key from the certificate.

It then randomly generates a symmetric key and encrypts it using eBay’s public key and sends it back to eBay. ◦ Since it is encrypted with eBay’s public key, it can be decrypted only by eBay’s private

key.

eBay then decrypts the systematic key with its private key.

Now Romeo and eBay shares a symmetric key and all subsequent conversation can be encrypted using this symmetric key.

43

The HR manager received the following appraisal report one day:

“Bob Smith, my assistant programmer, can always be found

hard at work at his desk. He works independently, without

wasting company time talking to colleagues. Bob never

thinks twice about assisting fellow employees, and always

finishes given assignments on time. Often he takes extended

measures to complete his work, sometimes skipping coffee

breaks. Bob is a dedicated individual who has absolutely no

vanity in spite of his high accomplishments and profound

knowledge in his field. I firmly believe that Bob can be

classed as an asset employee, the type which cannot be

dispensed with. Consequently, I duly recommend that Bob be

promoted to executive management, and a proposal will be

executed as soon as possible.”

44

An alternative to encryption for secrecy

Hides existence of message ◦ Using only a subset of letters/words in a longer

message marked in some way

◦ Hiding data in graphic image or sound file

◦ Using invisible ink

Drawbacks ◦ High overhead to hide relatively few info bits

◦ Become useless once comprised

45

46

Hiding message in picture using WinRAR: http://www.marcofolio.net/how_to/hide_files_in_jpg_files.html http://www.online-tech-tips.com/computer-tips/hide-file-in-picture/

These programs are available for test purposes only. Please send me any useful comments for improvements. In particular if you discover ways to detect the presence of the hidden data (even if you can't extract it) I would like to hear about it. This excludes the case where both the original and the modified jpeg are available (in which case it is a trivial task!) Remember they are FREE and BETA test versions. They may not work as you expect. I offer no warranty and accept to liability for their use. They are incompatible with earlier versions of similar products I have written. JPHIDE.EXE is a DOS program to hide a data file in a jpeg file. JPSEEK.EXE is a DOS program to recover a file hidden with JPHIDE.EXE JPHSWIN.EXE is a Windows-95 program which performs the same functions as the two programs above. The programs are free standing and require no special installation. Allan Latham <alatham@flexsys-group.com> 7th January 1999.

47

48

The risks to users of wireless technology have increased as the service has become more popular ◦ Wireless transmission is broadcasted over the air.

Anyone with the right equipment can intercept the signal

◦ Wireless transmission by default is NOT encrypted!

◦ Wardriving

Common solutions ◦ Encrypt the transmission!

WEP (not recommended), WPA1 and WPA2

◦ Smart card and USB token

◦ Use wired network for highly sensitive communication

49 Image source: http://en.wikipedia.org/wiki/Wardriving

Commercial software contains flaws that create security vulnerabilities ◦ Hidden bugs (program code defects)

Zero defects cannot be achieved because complete testing is not technically or economically possible with large programs

◦ Flaws can open networks to intruders

Patches ◦ Vendors release small pieces of software to repair flaws

◦ However, the amount of software in use can mean exploits created faster than patches be released and implemented

50

Inadequate security and control results in loss of business and may create serious legal liability ◦ Businesses must protect not only their own

information assets but also those of customers, employees, and business partners. Failure to do so can lead to costly litigation for data exposure or theft

A sound security and control framework that protects business information assets can thus produce a high return on investment

51

CSOX: Canadian Rules for Sarbanes-Oxley Act, Bill 198 ◦ Called SOX in US ◦ Internal controls must be put in place to govern

information in financial statements

ERM: Electronic Records Management ◦ Managing the retention, storage and destruction of

electronic records

These controls can be realized by the security services and their implementations introduced earlier

52

Determine level of risk to the firm in the case of improper controls ◦ Type of risk

◦ Probability of occurrence

◦ Damage

53 Image Source: http://www.scienceinthebox.com/en_UK/safety/riskassessment_en.html

54

How much are you wiling to spend on security?

55

Acceptable Use Policy (AUP) ◦ Acceptable uses and users of information and

computers

◦ Example

Authorization Policies ◦ Determine the levels of access for different users

◦ Often based on security profiles

Business continuity plan

Technical measures used to enforce the policies

Security Profiles for a Personnel System

Figure 8-4 56

Getting the business up and running after a disaster ◦ Safeguarding people as well as machines

Business measures: ◦ Documenting business processes

Not relying on people who may be unavailable

◦ Drill and training

Technical measures: ◦ High-availability computer systems help firms recover

quickly from a crash ◦ Fault-tolerant computer systems promise continuous

availability and eliminate recovery time altogether Often use a backup system

57

A comprehensive assessment of a company’s computer security policies, procedures and technical measures ◦ Penetration test: simulated attack

◦ Video Source: http://video.google.com/videoplay?docid=5642547759793319840#

Risk assessment is done before security implementation while auditing is after its implementation and should be done from time to time

58

Auditor’s List of Weaknesses

Figure 8-5 59

User’s lack of knowledge or human ignorance is the single greatest cause of computer security breaches! ◦ Social engineering is the act of manipulating people into

performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques.

◦ Passwords revealed by sweet deal

60 Image Source: http://truthaboutlaserhairremoval.com/wp-content/uploads/2010/10/scam-alert-large1-e1288206782821.jpg