Objectives:

1
Session 10
2

• Objectives
• By the end of this session, the student will be
  able to
• Recognize the basic forms of system attacks
• Cite the technique used to make data secure
• Recognize the concepts underlying physical
  protection measures
• Cite the techniques used to control access to
  computers and networks
• Cite the strengths and weaknesses of passwords
• Explain the difference between a
  substitution-based and a transposition-based
  cipher
• Outline the basic features of public key
  cryptography, Advanced Encryption Standard,
  digital signatures, and the public key
  infrastructure
• Cite the techniques used to secure communications
• Recognize the importance of a firewall, and be
  able to describe the two basic types of firewall
  protection

3
Hacker

Hacker saga continues Mounties nab 15-year-old
Canadian ITworld.com 4/19/00 UPDATE The Royal
Canadian Mounted Police (RCMP) said that they
have arrested a 15-year-old Montreal boy and
charged him in connection with the largest hacker
attacks to date on e-commerce Web sites in the
United States. In accordance with Canadian law,
the identity of the boy, who is said to have used
the alias "Mafia Boy," was not disclosed. http/
/security.itworld.com/4339/ITW384/page_1.html
3
4
Typical Hacker Approach

Step 1 Reconnaissance - ARIN, whois Step 2
Scanning - wardialing, port scanning,
firewalk Step 3 Exploit Systems - Gaining
Access - spoofing, hijiacking, DNS poisoning -
Elevating Access - L0phtCrack, Crack, SecHole,
getAdmin - Application-Level Attacks CGI
attacks, Web state maintenance - Denial of
Service - CPUhog, WinNuke, Ping of
death, Land, smurf, SYNflood, Targa,
TFN2K, Trin00 Step 4 Keeping Access -
Back Orifice 2000, Rootkits, Knark Step 5
Covering the tracks - logs, reverse WWW shell,
Loki
4
5
Security

• Basic Premise
• The means to uniquely identify a person, consists
  of using at least one selection from a minimum
  of two of the following categories
• Something you have
• User ID others may have knowledge of this
• A token (smart card / SecurID / WatchWord Token)
• Something you know
• Password / Passphrase / PIN only you know this
• Something you are
• An attribute of your physical body that is unique
  (fingerprint, hand geometry, iris, retina,
  earprint . . . )

5
6
Passwords

• Standard Rules
• Change password often
• Pick a good password with
• At least 8 characters
• Mix upper-case and lower-case characters
• Don't choose passwords that are similar to first
  or last names, or other choices easily guessed
• Don't share your password with others
• Don't write it down and post it on your monitor

6
7
Passwords

UNIX Password Passwd file samplex503100/hom
e/sample/bin/bash Shadow File sample2a05JG
qlq1afYTnH0t3OwOxbOeogkJAo9/vWdbOTQ73fQXRzjBsLvmxX
S127370999997
7
8
Monoalphabetic Substitution-Based Ciphers

Plaintext a b c d e f g h i j k l m n o p q r s
t u v w x y z Ciphertext P O I U Y T R E W Q L K
J H G F D S A M N Z V C X B how about lunch at
noon EGVPO GNMKN HIEPM HGGH
8
9
Polyalphabetic Substitution-Based Ciphers

Key COMPUTERSCIENCECOMPUTERSCIENCECOMPUTERSCIEN
CECO Plaintext thisclassondatacommunicationsisth
ebestclassever Ciphertext VVUHWEEJKQVHNVEECYBOGMT
SVQSAUMUHTTVXWKUNIWFGZGF
9
10
Transposition-Based Ciphers

Keyword COMPUTER 14358726 relative position
of characters in alphabet Plaintext
Message this is the best class i have ever
taken COMPUTER 14358726 thisisth ebestcla
ssihavee vertaken Ciphertext TESVTLEEIEI
RHBSESSHTHAENSCVKITAA
10
11
AES - Rijndael

Animation of Algorithm at work http//people.sene
cac.on.ca/travis.mander/rijndael_ingles2004.swf
11
12
Windows Firewall

12
13
Filter Firewall

13
14
Proxy Firewall

14