300 likes | 400 Views
Access Security. Outline. Are web systems safe? Authentication Passwords Biometrics Network protection Firewalls, proxy servers Denial of service attacks Viruses. Web Security. Client Side What can the server do to the client? Fool it
E N D
Outline • Are web systems safe? • Authentication • Passwords • Biometrics • Network protection • Firewalls, proxy servers • Denial of service attacks • Viruses
Web Security • Client Side • What can the server do to the client? • Fool it • Install or run unauthorized software, inspect/alter files • Server Side • What can the client do to the server? • Bring it down (denial of service) • Gain access (break-in) • Network • Is anyone listening? (Sniffing) • Is the information genuine? Are the parties genuine?
Internet Sniffing SOURCE: CERT
Methods of User Authentication “1059” • Something you know . . . • Password, PIN, “mother’s maiden name” • Something you have . . . • Physical key, token, magnetic card, smartcard • Something you are . . . • Finger print, voice, retina, iris • Someplace you are • GPS information • Best to use two or more of the above SOURCE: SECURITY DYNAMICS
Biometrics • Use of an unalterable body part or feature to provide identification • History • For 1,000,000 years we couldn’t identify people • France used tattoos; abolished in 1832 • Uniqueness of fingerprints 1890 • Verification v. identification • Weaknesses: • Forgery • Replay attack
LOOP WHORL ARCH DOT LAKE ISLAND BIFURCATION END Fingerprints MAIN SHAPES: MINUTIAE: EACH PERSON HAS A UNIQUE ARRANGEMENT OF MINUTIAE: SOURCE: C3i
Fingerprint Capture ST-Micro TOUCHCHIP (Capacitative) Thompson-CSF FingerChip (Thermal-sensed swipe) DEMO1, DEMO2 American Biometric Company BioMouse (Optical) Biometric Partners Touchless Sensor
Iris Scan • Human iris patterns encode ~3.4 bits per sq. mm • Can be stored in 512 bytes • Patterns do not change after 1 year of life • Patterns of identical twins are uncorrelated • Chance of duplication < 1 in 1078 • Identification speed: 2 sec. per 100,000 people PERSONAL IRIS IMAGER Companies: British Telecom, Iriscan, Sensar SOURCE: IRISCAN
Signature Dynamics • Examines formation of signature, not final appearance • DSV (Dynamic signature verification) • Parameters • Total time • Sign changes in x-y velocities and accelerations • Pen-up time • Total path length • Sampling 100 times/second Companies: CyberSIgn, Quintet, PenOp, SoftPro SignPlus,
Network Security REMOVABLE MEDIA REMOTE LOCATION USER MODEM + TELEPHONE “BACKDOOR” INTERNET CONNECTION RADIO EMISSIONS LOCAL AREA NETWORK ISP INTERNET CONNECTION REMOTEUSER VENDORS AND SUBCONTRACTORS SOURCE: CERT
Sophistication v. Intruder Knowledge SOURCE: CERT
Firewall Architecture SOURCE: CHAPMAN, BUILDING INTERNET FIREWALLS
Network Attacks SOURCE: CERT
Firewall • A device placed between two networks or machines • All traffic in and out must pass through the firewall • Only authorized traffic is allowed to pass • The firewall itself is immune to penetration Company Network Firewall Internet SOURCE: ADAM COLDWELL
Proxy Server SOURCE: CHAPMAN, BUILDING INTERNET FIREWALLS
Distributed Denial of Service Attack INTRUDER SENDS COMMANDS TO HANDLERS INTRUDER VICTIM SOURCE: CERT
DDOS Attack SOURCE: CERT
DDOS Attack SOURCE: CERT
Denial-of-Service Attacks • Attack to disable a machine (server) by making it unable to respond to requests • Use up resources • Bandwidth, swap space, RAM, hard disk • FBI DOS attack (June 1999) 600,000 service requests per second
Internet Ping Flooding Attacking System(s) Victim System SOURCE: PETER SHIPLEY
SYN ACK Server SYN | ACK Client Three-Way Handshake 1: Send SYN seq=x 2: Send SYN seq=y, ACK x+1 3: Send ACK y+1 SOURCE: PETER SHIPLEY
1 SYN 10,000 SYN/ACKs -- VICTIM IS DEAD SMURF ATTACK ICMP echo (spoofed source address of victim) Sent to IP broadcast address ICMP echo reply ICMP = Internet Control Message Protocol INTERNET PERPETRATOR VICTIM INNOCENTREFLECTOR SITES BANDWIDTH MULTIPLICATION: A T1 (1.54 Mbps) can easily yield 100 MBbps of attack SOURCE: CISCO
Code Attacks • Virus • executable code • that attaches itself to other executable code(infection) • to reproduce itself (spread) replicator+concealer+payload • Rabbit, Worm • program that makes many copies of itself and spreads them. Each copy makes copies, etc. Worm spreads via networks. • Trojan Horse • performs unauthorized activity while pretending to be another program. Example: fake login program
Viral Phenomena • Invented ~1985 • More than 36,500 known viruses (NY Times, 6/10/99) • More than in nature • 10-15 new viruses per day • 35% are destructive (up from 10% in 1993) • Virus attacks per computer doubles every two years • Written mostly by men 14-24 • India, New Zealand, Australia, U.S. • Symantec employs 45 people full-time, spread over 24 hours, to detect and neutralize viruses
PROGRAM CODE PROGRAM CODE BUFFER (255 BYTES) BUFFER (255 BYTES) INPUT IS 500 BYTES LONG 245 BYTES ARE OVERWRITTEN WITH HACKER’S DATA NOW HACKER’S CODE CAN BE EXECUTED Exploiting System Bugs • Buffer overflows • Program allocates 255 bytes for input. • Hacker sends 500 bytes.
Viral Phenomena • Stealth capability • Virus “hides” from detection. Installs memory-resident code. • Intercepts file accesses. If attempt is made to access its disk sector, substitutes “clean” data instead. • Mutation • Accidental. Virus gets changed (corrupted) by system • Deliberate. Creator inserts program modification code.“Self-garbling” - unscrambles itself before use • Result: virus becomes hard to detect • Virus toolkits
Virus Detection • Some virus families have common characteristics • Presence or absence of particular strings • Antiviral software • Only detects what it know how to detect. • Must be upgraded regularly for new viruses. • Symantec encyclopedia • File virus • Compare size with known backup copy. • Presence of strings, like “.EXE” • Retrovirus • Attacks or disables antivirus software
Key Takeaways • Evaluate all risks, even internal ones • People do bizarre things when they think no one will find out • Security is for professionals • Unexplored future in biometrics • Proxies give only thin protection • There is no current defense to DOS attacks • There is no defense to new viruses(except Java for a while)
Q A &