ECE-8843 Fall 2004

1
ECE-8843 Fall 2004 http//www.csc.gatech.edu/cope
land/jac/8843/ Prof. John A. Copeland john.copel
and_at_ece.gatech.edu 404 894-5177 fax 404
894-0035 Office GCATT Bldg 579 email or call
for office visit, or call Kathy Cheek, 404
894-5696
2
The class Web site is http//www.csc.gatec
h.edu/copeland/jac/8843/ or http//users.ece.gate
ch.edu/copeland/jac/8843/ On this site you will
find Class calendar (test dates, etc.)
Reading assignments (about 20 pages, read before
class) Lecture Notes (ppt files to print)
Homework assignments (and answers), a QA
folder Homework assignments will be text files,
sent to you by email and posted on the Web.
Answers will be edited into them, and they will
be returned by email to me. Since these count
for your final grade, treat homework assignments
like take-home quizzes. Graded versions will be
returned to you by email.
2
3
Objectives of Data Security (relative to
unauthorized persons)
Privacy - not readable Permanent - not
alterable (can't edit, delete) Reliable -
(changes detectable) Signed -
(non-reputable) Acknowledged - (know it was
received) But the data must be accessible to
persons authorized to Read, edit, add,
delete Probably over a network, possibly over
the Internet.
3
4
Attacks, Services, and Mechanisms
Security Attack Any action that compromises
the security of information. Security
Mechanism A mechanism that is designed to
detect, prevent, or recover from a security
attack. Security Service A service that
enhances the security of data processing systems
and information transfers. A security service
makes use of one or more security mechanisms.
4
5
Security Services
Confidentiality (privacy) Authentication (who
created or sent the data) Integrity (has not
been altered) Non-repudiation (the order is
final) Access control (prevent misuse of
resources) Availability (permanence,
non-erasure) - Denial of Service Attacks -
Virus that deletes files
5
6
6
6
7
7
8
Wiring Closet
8
9
Wiring Trough
9
10
10
11
11
12
Security Standards
Internet - Internet Engineering Task Force
(IETF) De Facto (PGP email security system,
Kerberos-MIT) ITU (X.509 Certificates) - not in
book - National Institute of Standards and
Technology (SHA) IEEE Department of Defense, Nat.
Computer Security Center - Tempest (radiation
limits) - Orange Book Class A1, B3, C1, C2,
... Export Controls - High Performance
Computers - Systems with Hard Encryption
12
13
13
14
Viruses, Worms, and Trojan Horses
Virus - code that copies itself into other
programs (usually riding on email messages or
attached documents (e.g., macro viruses). Payload
- harmful things it does, after it has had time
to spread. Worm - a program that replicates
itself across the network (Sapphire single UDP
packet, MSblast TCP opened a back-door) Trojan
Horse - instructions in an otherwise good program
that cause bad things to happen (sending your
data or password to an attacker over the
net). Logic Bomb - malicious code that activates
on an event (e.g., date). Trap Door (or Back
Door) - undocumented entry point written into
code for debugging that can allow unwanted users.
14
15
Virus Protection
Have a well-known virus protection program,
configured to scan disks and downloads
automatically for known viruses. Do not execute
programs (or "macro's") from unknown sources
(e.g., PS files, HyperCard files, MS Office
documents, Java, ...), if you can help it. Avoid
the most common operating systems and email
programs, if possible.
15
16
Password Gathering
Look under keyboard, telephone etc. Look in the
Rolodex under X and Z Call up pretending to
from micro-support, and ask for it. Snoop a
network and watch the plaintext passwords go
by. Tap a phone line - but this requires a very
special modem. Use a Trojan Horse program or
key catcherto record key stokes.
16
17
The Stages of a Network Intrusion
1. Scan the network to locate which IP
addresses are in use, what operating system
is in use, what TCP or UDP ports are open
(being listened to by Servers). 2. Run
Exploit scripts against open ports 3. Get
access to Shell program which is suid (has
root privileges). 4. Download from Hacker Web
site special versions of systems files that will
let Cracker have free access in the future
without his cpu time or disk storage space being
noticed by auditing programs. 5. Use IRC
(Internet Relay Chat) to invite friends to the
feast.
17
18
Web Server
Browser
Application
Application
Router-Firewall can drop packets based on source
or destination, ip address and/or port
Layer
Layer
(HTTP)
(HTTP)
Port 31337
Port 80
Transport
Transport
Layer
Layer
(TCP,UDP)
(TCP,UDP)
Segment No.
Segment No.
Network
Network
Layer (IP)
Layer (IP)
IP Address 130.207.22.5
IP Address 24.88.15.22
Network
Network
Layer
Layer
Token Ring
E'net Data
Token Ring
E'net Data
Link Layer
Link Layer
Data-Link Layer
Data Link Layer
Token Ring
Ethernet
Token Ring
E'net Phys.
Phys. Layer
Phys. Layer
Layer
Phys. Layer
18
19
IP Zone-Access Control
/etc/hosts.deny ALLALL
/etc/hosts.allow in.telnetd 199.77.146
24.88.154.17 in.ftpd 199.77.146.19
199.77.146.102
UNIX and Linux computers allow network
contact to be limited to individual hosts or
subnets (199.77.146 means 199.77.146.any).
Above, telnet connection is available to all on
the 199.77.146.0 subnet, and a single off-subnet
host, 24.88.154.17 FTP service is available to
only to two local hosts, .19 and .102. The
format for each line is daemonhost-list
19
20
IP Zone-Access Control
/etc/hosts.deny ALLALL
/etc/hosts.allow in.telnetd 199.77.146
24.88.154.17 in.ftpd 199.77.146.19
199.77.146.102
UNIX and Linux computers allow network
contact to be limited to individual hosts or
subnets (199.77.146 means 199.77.146.any).
Above, telnet connection is available to all on
the 199.77.146.0 subnet, and a single off-subnet
host, 24.88.154.17 FTP service is available to
only to two local hosts, .19 and .102. The
format for each line is daemonhost-list
20
21
PGP (Pretty Good Privacy) -gt GPG
From "PGP Freeware for MacOS, User's Guide"
Version 6.5, Network Associates, Inc., www.pgp.com
21
22
Access Control
Today almost all systems are protected only by a
simple password that is typed in, or sent over a
network in the clear.Techniques for guessing
passwords 1. Try default passwords. 2. Try all
short words, 1 to 3 characters long. 3. Try all
the words in an electronic dictionary(60,000). 4.
Collect information about the users hobbies,
family names, birthday, etc. 5. Try users phone
number, social security number, street address,
etc. 6. Try all license plate numbers
(123XYZ). Prevention Enforce good password
selection (c0p31an6)
22
23
Kerberos
23