8. Introduction to Security

What We Will Cover Announcements Please sit at a computer station I recommend you use same computer every week When class is over, please shut down your computer Log Tails 8.1: Why We Need Security 8.1.1: Protecting What is Valuable 8.1.2: Preventing Attack on Others 8.1.3: Securing Our Privacy Lab Exercise 8.1 8.2: Types of Attacks and Vulnerabilities 8.2.1: Virus 8.2.2: Worm 8.2.3: Trojan Horse 8.2.4: Denial of Service 8.2.5: Spoofing 8.2.6: Bugs 8.2.7: Physical Attack Lab Exercise 8.2 8.3: Security Resources 8.3.1: Learning of Security Risks Lab Exercise 8.3 8.4: Security Basics 8.4.1: Trading Security Vs. Functionality 8.4.2: Determining How Much Security Is Enough 8.4.3: Nothing is Absolutely Secure Lab Exercise 8.4 Wrap Up Assignments Due By Next Meeting: Nothing Log Tails From Last Lab Any questions? Midterm Review WebCT back to top 8.1: Why We Need Security Objectives At the end of the lesson the student will be able to: Describe the need for security Textbook suggests three general reasons for needing security Protecting What is Valuable Preventing Attack on Others Securing Our Privacy Will explore these reasons in this section back to top 8.1.1: Protecting What is Valuable Hard to sleep at night when valuables are not secure What is valuable depends on your definition However, should also depend on what others consider valuable Web sites usually consider their information valuable Why else have a site? Protecting valuable information includes Preventing theft Preventing malicious destruction What types of information might exist on a Web site that we would not want exposed to everyone? To view list of victims see: Google search for hacked or cracked web sites back to top 8.1.2: Preventing Attack on Others Once a machine is compromised, it can be used to attack other machines Cannot dismiss security measures simply because a computer may not contain any important information itself Potential legal issues if your machine is used to attack other sites Cracker can easily masquerade as you Can make it look as though you are carrying out the attack You may take the blame for attacking other sites back to top 8.1.3: Securing Our Privacy Everything about us is online these days Personal health information Credit card data Social security numbers Driver's license number ... Security protects the integrity of this data Also protects against people who may try to intrude on your life What information does it require to open an instant-credit account? What would you do if someone opened and used an account in your name? back to top Lab Exercise 8.1 Use the next 10 minutes to complete the following. Start a text file named exercise8.txt Will be adding to this file during the lesson -- save it often. Prepare the exercise header as described in the HowTo on submitting exercises Label this exercise: Lab 8.1 Answer the following questions. Exercises and Questions Examine the files and data stored directly on your computer. Which files, if any, should not be viewable by the rest of the world? What would the implications be if this information were public knowledge and were accessible to the entire world free of charge? What would the implications be if any of your files were deleted or modified? Now examine the information that is not directly stored on your computer but that you still have access to via your computer. For example banking information you access using the Internet. What information should not be viewable by the rest of the world? What would the implications be if any of this information were public knowledge and were accessible to the entire world free of charge? back to top 8.2: Types of Attacks and Vulnerabilities Objectives At the end of the lesson the student will be able to: Identify various types of attacks Describe various types of attacks Many types of attacks Will look at the major types of attacks in this section back to top 8.2.1: Virus Computer virus gets its name from the way it propagates itself Computers catch viruses by interacting with other infected computers Appends itself to an already existing computer program Loaded into memory with the infected program Can a PC virus affect a Macintosh computer? Java Does Java have any viruses? Though Java has extensive security measures, it does have viruses: Java.StrangeBrew Java.BeanHive JavaClass.Port25 Java applications can have viruses just like any other program However, only three found to date Java applets run in a secure "sandbox" and are generally secure Further Information AVP Virus Encyclopedia Virus Bulletin Virus Encyclopedia: Java Viruses back to top 8.2.2: Worm Worms often confused with a virus Virus attaches itself to existing programs Worm is its own self-contained program or set of programs If it successfully attacks another computer, it copies itself to that computer Further Information Virus Encyclopedia: Internet Worms back to top 8.2.3: Trojan Horse Trojan horse is the electronic equivalent of the famous Greek gift Trojan horse appears to do something completely benign and often useful When you run the program, it appears to be a normal safe program Secretly carries out instructions unrelated to its primary function This type of attack is often very difficult to detect Quick Quiz What is the force given by one milli-helen? Further Information Virus Encyclopedia: Trojan Horses back to top 8.2.4: Denial of Service Denial of service (DoS) attacks deny legitimate use of a service Does not attempt to gain entry -- just interrupts use by others Very hard to protect against this type of attack For Example Web server may be set up to limit number of connections at one time to no more than 1000 DoS attack simply maintains 1000 open connections to the Web server Reduces chances of service to users requesting legitimate connections For Example Distributed Denial of Service (DDoS) involves taking over other peoples machines (creating "zombies") Controller of the zombies will issue instruction for attack against a site May cause an attack by hundreds or thousands of machines Owners of machines usually do not know they are attacking others Further Information See Gibson Research Corporation's Denial of Service homepage Denial of Service (DoS) Attack Resources back to top 8.2.5: Spoofing Spoofing is simply pretending to be a different identity For example: Make e-mail look like it is being sent from someone else Change IP address so it looks like data is coming from a different machine Spoofing often used in conjunction with other attacks Crackers do not want their identity known back to top 8.2.6: Bugs Not all attacks or vulnerabilities stem from crackers’ programs Some are from design (or lack of design) of various vendors’ programs Crackers willing to exploit these bugs For example: buffer overflow Further Information online.securityfocus.com/archive/1 back to top 8.2.7: Physical Attack Cracker can always kidnap you and forcing you to divulge your password Alternatively, can steal your machine How many people lock their screen when they leave their computer? back to top Lab Exercise 8.2 Use the next 15 minutes to complete the following. Label this exercise: Lab 8.2 Answer the following questions. Exercises and Questions Identify Various Types of Attacks Find a program on your computer that you can start multiple copies of. Start up one copy of the program and test the speed of the program. Now start up five or more copies of that program. Retest the speed using the original copy. Continue these steps until you start to notice a difference. (Hint: open about 50 browser windows) What is happening during each test? What type of attack is this? A common attack is the buffer overflow attack. In a buffer overflow attack, an attacker enters in more data than normally would be expected by the program. For instance, entering a URL into your browser that is over 2000 characters long. The program does not first check if the 2000 characters will fit in the 100-character buffer it has allocated to store the URL. As a result, the buffer will overflow into adjacent memory locations, potentially allowing an attacker to execute commands on the machine. What type of attack would this be categorized as? What happens on your machine when you try this? Understand Various Types of Attacks The boot sector is the location on your hard disk containing the instructions necessary for your computer to boot up. The instructions are always the first to be executed each time your computer boots. Many computer viruses attack the boot sector of your operating system as opposed to other executable programs. Why do you think this is? Before cross-platform languages were developed, why could a PC virus not infect a Macintosh machine? Virus protection software fights computer viruses relatively the same way as biological viruses are fought. Will virus protection software protect your computer from a virus not previously discovered? Hackers are always trying to obtain users’ passwords. A Trojan horse is an excellent method of doing so. What type of program would make a good Trojan horse for a password stealer? Why is it not a good idea to blindly run programs you have downloaded from the Internet or that have been sent via e-mail? back to top 8.3: Security Resources Objectives At the end of the lesson the student will be able to: Find security risks that pertain to your site Explore the CERT Coordination Center Advisories Find other security resources back to top 8.3.1: Learning of Security Risks Computer security advances at a rapid pace Many resources available so we can stay up to date on security One of the most widely used security resources is CERT Coordination Center Another is FIRST (Forum of Incident Response and Security Teams) Newsgroups are good source for workarounds and suggestions if vendor does not have fix available Several mailing list you can subscribe to (see text) Another important source is cracker Web sites Crackers will often place source code and binaries on their web sites Can use these as tools to test whether your site is susceptible to that particular attack Need to be very careful when using these tools -- why? Some popular sites that show the latest techniques: www.@statke.com www.attrition.org online.securityfocus.com/archive/ ussrback.com/archives For more information on crackers/hacking Yahoo - Hacking Google - Hacking back to top Lab Exercise 8.3 Use the next 20 minutes to complete the following. Label this exercise: Lab 8.3 Answer the following questions. Exercises and Questions Using the various utilities that come with your computer, determine the answers to the following questions. Linux: Main Menu => Programs => System => System Information Windows: Start => My Computer => View System Information (Also Manage and Control Panel) What type of computer hardware are you using? Which operating system are you running? Include the version number. Which programs do you run on your computer (Web server, Web browser, other programs)? Include the version number. Visit the Web sites of the vendors of the products you listed for your answers to Questions a, b, and c. Search the site for information regarding the products you use, particularly security-related information. What is the latest version of each product? Are you using the latest versions? What security issues, if any, are mentioned regarding each product? Have you sufficiently protected yourself from any vulnerabilities mentioned? Go to the CERT Coordination Center site http://www.cert.org and click on the link to view the advisories. What is the most recent advisory? What is the general nature of the risk this advisory is about? What was the very first CERT Advisory about? Choose an advisory from the archive and read through it. What is the general nature of the advisory you chose? Which platforms are vulnerable? Do all vendors affected by this advisory have fixes available? What type of attack or vulnerability is described by this advisory? Do a search on the Web for "computer security" and visit the sites you find. What sites did you visit? What type of information was available on each site? Do a search on the Web for "hacker" and visit the sites you find. What sites did you visit? What type of information was available on each site? Connect to a news server and search through the USENET newsgroups for newsgroups relating to computer security. Read some of the postings you find in these newsgroups. Which newsgroups did you find? back to top 8.4: Security Basics Objectives At the end of the lesson the student will be able to: Describe the basic rules of security Weakest link in security is ... humans If someone does cause destruction on the network, we'll find that out . . . But mostly if you can get a user not to write his password on his monitor, that's a big step. -- Sam Alaw In-house security breaches account for 70% to 90% of the attacks on corporate computer networks (The enemy within) Various surveys about security breaches, with results of roughly: 55% human error 10% disgruntled employees 10% dishonest employees 10% outsider access 2001 Information Security Industry Survey: Percent of respondents reported these types of problems 89% Viruses/Trojans/Worms 48% Bugs 39% Denial of Service 32% Buffer overflow attacks 28% Active program scripting/mobile code 23% Protocol weaknesses 21% Insecure passwords 2001 Information Security Industry Survey: Insider incidents occur more frequently than external 78% Installation of unauthorized software 60% Use of company computing resources for illegal or illicit communications or activities 60% Use of company computing resources for personal profit 56% Abuse of computer access controls 49% Physical theft, sabotage or intentional destruction of computing equipment 47% Installation/use of unauthorized hardware/peripherals 22% Electronic theft, sabotage or intentional destruction/disclosure of proprietary data or information 9% Fraud Security problems exist In this section, we look at some "rules" of security that help to shed light on these problems back to top 8.4.1: Trading Security Vs. Functionality First basic rule: security and functionality are inversely related More security yields less functionality, and vice versa Data in a guarded vault with no access is useless for anything Should remove functionalities that are not mandatory For example: is FTP access worth the exposure? Another thing to consider is whether you should collect certain types of data Should not collecting data for collecting's sake Do most businesses really need to keep credit-card information? back to top 8.4.2: Determining How Much Security Is Enough How do you know if your security is enough to really be secure? Need enough security so that cracking will require more resources than any cracker will spend For example: if your site is appealing enough to a hacker to spend three weeks dedicated to hacking your site, you must have at a minimum enough security that would require even the most experienced hacker more than three weeks to actually compromise it. Amount of effort they exert depends on how badly they want to get in Must make sure that effort required to crack is more than anyone is willing to spend Difficult question to answers is: how much is that? It is your best estimate What are some things to consider in making this estimate? back to top 8.4.3: Nothing is Absolutely Secure No matter how much security you implement, someone can always break in Part of security is being ready for when the inevitable happens back to top Lab Exercise 8.4 Use the next 10 minutes to complete the following. Label this exercise: Lab 8.4 Answer the following questions. Exercises and Questions Hackers will call up users pretending to be the system administrator and request their password directly. This is often a very successful method of attack, exploiting the weakest link in security. What is the weakest link in security? The ultimate goal for a hacker is to gain superuser access. The superuser is the user with full, unrestricted system access. At this point the hacker has full control over the machine. What can you do if a hacker gains superuser access? back to top Wrap Up When class is over, please shut down your computer => Logout => Shut Down Due Next: Nothing You may complete unfinished exercises at any time before the next class. Be sure to submit the file to the instructor before the beginning of the next class to receive credit. Instructions on submitting exercises are available from the HowTo's page. back to top Home | WebCT | Announcements | Schedule | Expectations | Syllabus | Help | FAQ's | HowTo's | Links Last Updated: 7/16/2003 4:45:40 PM