Title: Security and Privacy on the Internet
1Security and Privacy on the Internet
- A course on Internet Security
- Security is a process. It is a journey.
- --Bruce Schneier
2Security and Privacy on the Internet
- PREFERRED BACKGROUND
- Internet Architecture, TCP/IP suite, POPs, NAPs,
RAs, Peering, GigaPOPs - Evolving Requirements and architecture of
Internet - Wireless and mobile protocols
- Network Application Programming
- Performance Measurement, tcpdump
- The course An introduction to the issues of
security in public distributed networks
3Security and Privacy on the Internet
- Security Planning, Policies and procedures
Threats and Strategies digital rights - security services and mechanisms
- Encryption methods and Secure Protocols, DES,
AES Public Key algorithms VPN - Internet sniffing and scanning tools
- Intrusion Detection, Intrusion Analysis and tools
- General topics Viruses and enterprise anti-virus
tools other applications like digital cash, code
signing and anonymous e-mail
4Grading Scheme
- 60-564
60-467 - Project I 15
15 - Survey of Area 20 15
- Class Test 20
20 - Final Exam 30
35 - Assignments 15 15
- For 60-467, instead of the Survey, it would be
Project II.
5- Why should we study Internet Security?
- Practical (
Mundane) Reasons
6Examples those, who hold the keys to
the Kingdom
- Jim Allchin, Microsoft's Windows chief said in
Oct 2005, I'd already been through lots of days
of personal training on the tools that are used
to do hacking. - Researcher Dan Kaminsky found him to be quite
knowledgeable about Hashing. - Researcher Matt Conover, while talking about a
fairly obscure type of problem called a "heap
overflow, asked the audience, made up mostly of
vice presidents, whether they knew about this
type of issue, 18 of 20 hands went up. (Blue Hat
Conference at Redmond in Oct 2005)
7A news-item
- Privacy commissioner slaps Bell over traffic
management - Jennifer Stoddart rules that Bell could better
explain what it's doing with deep packet
inspection, the technology it uses to slow
traffic of bandwidth hogs - Reference Network World Canada (03 Sep 2009)
-
8Two news-items
- The industry showed a significant level of
dissatisfaction in the ability of companies to
hire information security workers. --- from the
Information Technology Association of Americas
member survey of Sept 2003 - Homeland security allocating money in 2003 for
research in Security at US University so that
more grads can become available for jobs in
security. - Social Networks
9- Demand for IT security professionals is
approaching levels not seen since shortly after
the 9/11 terrorist attacks five years ago. - Emergency Warning to Employers Unless you begin
immediately to increase hiring and intensify
staff development in your security services and
products, you will probably not have sufficient
bench strength for a late 2007 crescendo in
demand.. - --Foote Partners LLC
- http//www.footepartners.com/FooteNewsrelease_ITse
curityskills_070207.pdf - as of Sept 6, 2007
10Estimates of Market for Security Products
- IDC Estimates Internet security market expected
to grow exponentially - Yankee Estimate of market
- Host Intrusion Prevention products and services
60 million in 2002. - Prediction growth at a compound annual rate of
52.7 percent to 520 million by 2007 - secure content delivery products and services
302 million in 2002. - Prediction for 2007 580 million.
- Ironport The Web messaging security market to
grow at about 25 annually. Reference
http//www.ironport.com/company/pp_trading_markets
_01-04-2007.html as of Sept 06, 2007
11Jobs in Security
- "From what we've seen on our site, and from what
I've seen from the industry, security is not
surprisingly very much in demand -- Nick
Doty, Editorial Director of Techies.com - Average Salary Security Analyst (Reference
http//www.esj.com/Columns/article.asp?EditorialsI
D28 ) - Entry (less than 1 year of experience) US
54,090
12.there will be more security breaches,
says Schneier
- As more of our infrastructure moves online,
- as more things, that someone might want to access
or steal, move online . - As our networking systems become more complex
.. - As our computers get more powerful and more
useful..
13- Why should we study Internet Security?
-
14Corporation is the network.
- A company can compete in the global marketplace
only if it has a strong underpinning of reliable
and secure computing and communication
infrastructure. - ? A network.
- Which Network ?
- The latest telephone network Advanced
Intelligent Network - The Internet The Stupid Network
- Ref Rise of the Stupid Network, David
Isenberg, 1997, www.isen.com
15Two laws and the User
- Moores Power of PCs (measured in MIPS)
increases an order of magnitude every 5 years. - Amdahls A Mb of I/O capability is required for
every MIPS of processor performance. - But during 1980s and 90s
- User Accessible Bandwidth at WAN level increased
by an order of magnitude every 20 years.
16Network-computing
- Network-computing Requirements for I/O and
communication speed grow at the same rate. - Assume that
- Communication speed requirement 1/8(I/O
capability) - Example processor power 1000 MIPS
- I/O requirement 1000
Mbps - Communication requirement 125 Mbps
- Study of network architecture for providing
secure and reliable high performance, with the
required QoS an important area of research.
17Problem of Security
- Higher the available compute-power, easier it
is to hack a system. - The network bandwidth of WANs increases at a rate
much lower than the rate of increase of the
available compute-power. - The amount of data being sent cannot be
increased through padding.
18 19Introduction Security
- RFC 1244, Site Security Handbook, by Holbrook,
Reynold, et al. - Common sense the most appropriate tool that
can be used to establish your security policy. - Elaborate security schemes and mechanisms
useful only if the simple controls are NOT
forgotten. - Knowledge ? Confidence ? flowering or
non-blocking of Common-sense
20Security planning
- We want to find a program that "fixes" the
network security problem. Few of us want to write
a paper on network security policies and
procedures. - Physical Security for network equipment and
cables - against natural disasters like fire and
- against mis-behavior by internal authorized users
- is, in fact more important than the threats
through - networks.
21Security planning (contd)
- Components of security planning
- Step 1 assessing the threat,
- Step 2 writing a security policy a statement
of what is allowed and what is not allowed
assigning security responsibilities. - Step 3 Choosing the mechanism, tools and
methodologies to implement the policy - Let us begin with step 2.
22Security Policy
- Two Important Components
- 1.Decentralized Control and
- 2.Clear Definition of Roles and Responsibilities
- Distributed Control through Subnets The subnet
administrator and the system administrator
responsible for their system security. - The subnet administrator allocates IP
addresses and knows his users.
23Security Policy Clear definitions
- A network security policy should define
- The network user's security responsibilities
- The policy may require users
- to change their passwords at certain intervals,
- to use passwords that meet certain guidelines,
- to perform certain checks to see if their
accounts have been accessed by someone else. - Whatever is expected from users, it is
important that it be clearly defined.
24Security Policy (contd)
- The system administrator's security
responsibilities - The policy may require that
- every host use
- specific security measures,
- login banner messages, and
- monitoring and accounting procedures.
- certain applications should not be run on any
host attached to the network.
25Security Policy (contd)
- The proper use of network resources
- Define
- who can use network resources,
- what things they can do, and
- what things they should not do.
- If users email, files, and histories of computer
activity are subject to security monitoring, the
users must be very clearly informed about the
policy.
26Security Policy (contd)
- The actions taken when a security problem is
detected - What should be done when a security problem is
detected? - Prepare a detailed list of the exact steps that a
system administrator, or user, should take when a
security breach has been detected. - Example A user may be required to "touch
nothing, and call the network security officer." - Who should be notified?
- Prepare a disaster recovery plan so that when the
worst does happen, you can recover from it with
the minimum possible disruption.
27Reference
- RFC 1281 A Guideline for the Secure Operation of
the Internet - provides guidance for users and network
administrators on how to use the Internet in a
secure and responsible manner. - useful for preparing the security policy for an
organization.
28A detourA little history of an ancient art
The first printed book on cryptology
- Johannes Trithemius, an abbot in Spanheim One
of the founders of cryptology - The first printed book of cryptology titled
Polygraphiae Libri Sex in German language in
1518 by Johannes Trithemius, published after the
death of the writer. - (The title means -Six Books of Polygraphy)
29A little history (continued)
- Earlier in 1499 he had written a 3-book
- Steganographia, (meaning covered writing)
- which was circulated privately
- was published in 1606.
- The first two books about cryptology.
- But the third book could not be understood,
without understanding the encoding that he had
used.
30A little history (continued) A
challenge for a cryptanalyst
- In the third book, which was considered to be
incomplete, Trithemius explained why he had made
it hard to understand - This I did that to men of learning and men
deeply engaged in magic, it might, by the Grace
of God, be in some degree intelligible, while on
the other hand, to the thick skinned
turnip-eaters it might for all time remain a
hidden secret, and be to their dull intellects a
sealed book forever.
31Ban, what you dont understand.
- The third book banned in 1609, ostensibly
because it explained how to employ spirits for
sending secret messages. - The challenge - of deciphering the book met by
three persons in 500 years - 1676Wolfgang Heidel, the archbishop of Mainz,
Germany, claimed to have deciphered the third
book of Trithemius. - But his discovery was stated in a secret code
of his own. So nobody knew whether Heidel had
understood the book.
32A little history Deciphering the third book
of Trithemius
- 1996Thomas Ernst, Prof of German at La Roche
College, Pittsburgh published a 200-page
German-language report in a small Dutch journal,
Daphnis. - WIDELY KNOWN SOLUTION spring 1998 Jim Reeds of
AT T labs solved the riddle of understanding
the third book independently. - He did not know of the earlier work of Ernst.
- Trithemius work basically simple Ernst took two
weeks and Reeds took two days to understand it. - Both Ernst and Reeds, separately, deciphered
Heidels work and found that Heidel had been able
to decipher Trithemius third book.
33References The Trithemius riddle
- Reference1. Thomas (Penn) Leary, Cryptology in
the 16th and 17th Centuries, Cryptologia, July
1996, available at http//home.att.net/tleary/cry
ptolo.htm - 2. http//www.post-gazette.com/healthscience/19980
629bspirit1.asp - 3. Gina Kolata, A Mystery Unraveled, Twice, The
New York Times, April 14, 1998, pp. F1, F6,
available at http//cryptome.unicast.org/cryptome0
22401/tri-crack.htm
34A challenge for the future
- At 35th birthday of MITs Lab for Computer
Science A time capsule of innovations has been
sealed in the new building of LCS. It contains a
cryptological problem, which may be solved in 35
years on computers,(by 2033), which may be
replaced every year to get higher computing
power. - If you find an algorithm, which solves it
earlier, you can send it to the Director, LCS. - If correct, a special ceremony to unseal the
capsule will be set up. - Referencehttp//theory.lcs.mit.edu/rivest/lcs35-
puzzle-description.txt - getting back from the
detour .
35Step 3 Components of security planning
- Step 1 assessing the threat
- Step 2 writing a security policy (already
discussed) - Step 3 Choosing
- the methodologies,
- tools and
- mechanisms
- to implement the policy
36Methodologies
- Security Procedures to implement the policy
- Goals of security Procedures
- Prevention
- Detection nature, severity of attack and effects
- Recovery and fixing vulnerabilities
- Counterattack or legal recourse
37Procedures
- Usually a procedure implements one part of the
policy. - A union of procedures is supposed to provide
precise security. - Types of procedures
- Secure
- Precise or
- Broad
38Types of Procedures
- P set of all possible states of the system
- S set of secure states, as defined by the policy
- Mset of states to which the system is
constrained by Security procedures - The system is
- Secure if M is contained within S
- Precise if M S
- Broad if there are states in P which are
contained in M but which are not contained in S.
39Procedural and Operational Security
- policies and education on safe computing
practices - desktop configuration management
- proactive probing for vulnerabilities
- Each procedure may be designed to take care of a
(or a set of) threats.
40- New Threats arise and old threats change
- As the use of Internet changes and
- as new technologies are implemented
- Some Threats
- to a networked system
41Security Threats
- RFC 1244 identifies three distinct types of
security threats associated with network
connectivity - Unauthorized access
- A break-in by an unauthorized person.
- Break-ins may be an embarrassment that
undermine the confidence that others have in the
organization. - Moreover unauthorized access ? one of the
other threats-- disclosure of information or - --denial of service.
42Classification of Security Threats
Reference RFC 1244
- Disclosure of information
- disclosure of valuable or sensitive information
to people, who should not have access to the
information. - Denial of service
- Any problem that makes it difficult or impossible
for the system to continue to perform productive
work. - Do not connect to Internet
- a system with highly classified information,
or, - if the risk of liability in case of disclosure
is great.
43Brent Chapmans Three Categories of
Security Threats
- Brent Chapmans Classification
- Confidentiality
- Of data
- Of existence of data
- Of resources, their operating systems, their
configuration - Of resources used, in case the resources are
taken on rent from a service provider
44Information Security Threats
Chapmans Classification (contd.)
- availability A DoS attack may disrupt
- availability of a service, or
- availability of data
- integrity
- Of data
- Of origin
- Once someone has gained unauthorized access
- to a system, the integrity of the information on
- that system is in doubt.
45In the face of threats A
secure system
- Features of a secure system
- A system which is able to maintain
confidentiality of data - A system which is able to maintain integrity of
data - A system, which is available, whenever the user
require it
46- We're in the midst of a huge society-wide
change to move record keeping from paper systems
to digital ones. In consequence, a vast number of
existing rules can and should be rethought and
revised. No better time than now, and no one
better to do it than we. - -- Marc Donner, Google
- New Models for Old
- IEEE Security Privacy, Aug/Sept 2009
47Threats for the Internet/ISP
- propagate false routing entries (black holes)
- domain name hijacking
- link flooding
- packet intercept
- Phishing attacks use e-mails that often appear
to come from a legitimate e-mail address and
include links to spoofed Web addresses. The
receiver responds to the link, which takes the
receiver to a site, other than what the receiver
thinks he is going to. (announced by MS on 16 Dec
2003, as a problem with Internet Explorer).
48Types of Security Threats Additions
- Denial of service
- Illegitimate use
- (Mis)-Authentication
- IP spoofing
- Sniffing the password
- Playback Attack
- Bucket-brigade attack ( when Eve substitutes her
own public key for the public key of Bob in a
message being sent by Bob to Alice) - Generic threats Backdoors, Trojan horses,
viruses etc
49Example of a Security Incident
Phishing
- Phishing (mis)uses the following rule
- If ASCII 00 and 01 characters are used just prior
to _at_ character, IE would not display the rest of
the URL. - Example http//www.whitehouse.gov0100_at_www.hacke
r.com/...... - will show up as http//www.whitehouse.gov in the
status bar, indicating as if the message is from
the White House. However the response will go to
the Hacker.
50Anti-Phishing.org
- A Web site www.antiphishing.org, for reporting
incidents, - set up by a group of global banks and
technology companies, led by Secure-messaging
firm Tumbleweed Communications Corp - Fast Response required
- The phishing Web sites often only in place
for a day. - Example Dec 2003 Phishing e-mail appeared to
come from the U.K. bank NatWest. - Anti-Phishing.org tracked the IP address to a
spoofed home computer in San Francisco. "The
owner of the computer probably had no idea he'd
been hijacked," says Dave Jevans, Tumbleweed's
senior vice president of marketing.
51Common attacks on banks
through Internet
- Common attacks
- phishing (attempts to trick account holders to
give their account authentication details away), - fraudulent association with the bank as part of
investment scams, and - trademark violation
- Losses due to attacks
- "The major banks don't want to divulge the amount
of losses. But just to give one example, a major
Australian bank has put several million dollars
in reserve since August 2003 to cover damages due
to Internet frauds. Dave Jevans, eWeek, Dec
2003
52An Example time-to-market for Internet Security
products
- 16 December, 2003 Discovery of the problem of
Phishing - 5 January 2004 Announcement of development of a
new Anti-phishing service by Netcraft, of Bath,
England. - Netcraft says that the service is mainly for
banks and other financial organizations
53The Netcraft Service
- to detect use of their
- name,
- brands,
- trademarks and
- slogans on the Internet by any unauthorized
party. - to facilitate quick removal of attempts at
"phishing" attacks. - to provide details of the site registration and
hosting locations of potentially offending sites,
- to classify the severity of the incident
-
54The Netcraft Service (continued)
- The service will
- include real-time monitoring of spam for domains,
brands and company names. - monitor
- DNS registrations and
- SSL (Secure Sockets Layer) certificate common
names. - Netcraft known for conducting monthly surveys
since 1995 - http//news.netcraft.com/
- Its database has hostname domain names for
over 58 million web sites, and the front page
content
55Netcraft Surveys
- Data on the market share of
- web servers,
- operating systems,
- hosting providers (hosting locations of the
million busiest web-sites) Largest Hosters
GoDaddy 20 M, ThePlanet 15 M Microsoft 9M
Google 8 M myspace 6M - ISPs,
- encrypted transactions,
- electronic commerce (SSL sites (1996 3283 sites
2009 exceeded 600,000)) - scripting languages and
- content technologies on the internet
56Terminology of Hacking
A few more words
- Snooping (also called passive wire-tapping)
- Active wire-tapping or man-in-the middle attack
- Spoofing or Masquerading of a host or a
service-provider (Distinguish it from Delegation) - Repudiation of origin or of creation of some file
- Denial of receipt
- Usurpation unauthorized control
-