1 / 34

Computer Security and Authentication

Computer Security and Authentication. CS 5352 Spring 06. Software Engineering Institute. Federally funded, sponsored by DoD Operated by Carnegie Mellon University About 400 employees Wants a smooth transfer of new Software Engineering Technology into practice Technical theme: Move left

Download Presentation

Computer Security and Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Computer Security and Authentication CS 5352 Spring 06

  2. Software Engineering Institute • Federally funded, sponsored by DoD • Operated by Carnegie Mellon University • About 400 employees • Wants a smooth transfer of new Software Engineering Technology into practice • Technical theme: • Move left • Reuse everything • Never make the same mistake twice

  3. CERT Coordination Center • Overview • Part of the SEI • Formed by DARPA, 1988, after the worm incident • About 100 employees • 3,784 vulnerability reports (2003) • 137,529 computer security incidents (2003) • Purpose • Analyse trends in attacks, vulnerabilities, impact • Coordinate responses to security attacks • Methods to evaluate, improve, maintain security • Publish, disseminate good security practices

  4. Survivability • The ability of a system to fulfill its mission, in a timely manner, in the presence of attacks, accidents, and failures

  5. Critical Need for Information AssuranceIncidents Reported to the CERT/CC

  6. Critical Need for Information AssuranceVulnerabilities Reported to the CERT/CC

  7. Critical Need for Indications and Warnings Novice IntrudersUse CrudeExploit Tools AutomatedScanning/ExploitTools Developed Crude ExploitTools Distributed Widespread Use of Automated Scanning/Exploit Tools Intruders Begin Using New Types of Exploits AdvancedIntruders DiscoverVulnerability

  8. Critical Need for Indications and Warnings

  9. Critical Need for Better Engineering Methods • Resistance, recognition, and response must be integrated into the system and application architecture

  10. Network protocols • Designed for Arpanet, over 20 years ago • But still used nowadays, under a totally different environment

  11. A Different Internet • Armies may cease to march • Stock may lose a hundred points • Businesses may be bankrupted • Individuals may lose their social identity • Threats not from novice teenagers, but purposeful military, political, and criminal organizations

  12. Why Should You Be Concerned Personal data Credit information Medical information Purchasing history Corporate information Political information Societal infrastructure

  13. Computer Vulnerability (2001) Out-of-the-box Linux PC hooked to Internet, not announced: [30 seconds] First service probes/scans detected [1 hour] First compromise attempts detected [12 hours] PC fully compromised: • Administrative access obtained • Event logging selectively disabled • System software modified to suit intruder • Attack software installed • PC actively probing for new hosts to intrude • Clear the disk and try again!

  14. Motivations to Violate Security • Ego • Curiosity • Greed • Revenge • Competition • Political/Ideological

  15. People and Computer Crime • Most damage not due to attacks“Oops!”“What was that?” • No clear profile of computer criminal • Law and ethics may be unclear

  16. Types of Attackers • Script Kiddies • Old-line hackers • Disgruntled Employees • Organized Crime • Corporate Espionage • Foreign Espionage • Terrorists

  17. Buffer overflow • The most important avenue for vulnerabilities • Good programming practice: always verify that the input you receive from uncontrolled source conforms to expected format

  18. Buffer overflow example rlogin program main(argc,argv) int argc; char *argv[]; { … char term[1024]; ... (void)strcpy(term, (p = getenv(“TERM”)) ? p: “network”); … }

  19. Authentication • Four classic ways to authenticate: • something you know (passwords) • something you have (smartcard) • something you are (fingerprint) • something you do (usage signature) • None of these is perfect

  20. Identity theft • Fastest rising crime in the US • FBI won’t help unless losses above $100,000. • Someone can steal an identity with just a social security number!!!

  21. Passwords • Account - person using the system • Username - Identity of account (public) • limited characters, alphanumeric & special characters • typically related to real name of user (not always), certain names reserved • unique on system • fixed at account creation • Passwords – Verification of identity (private) • Less limited length and characters • Fixed until changed • Non-unique passwords – (both users have bad password) • Many Multi-user Operating Systems have same scheme

  22. Password Security • Password security depends on ONLY you knowing the password • Secure selection • Secure handling • Secure storage

  23. Password Storage • “trapdoor encrypted” • scrambled in a way that cannot be unscrambled • scrambling folds password over itself - lost bits • different users with same password won’t have same scrambled password • login scrambles entered password and compares against stored scrambled password • original concept: since only scrambled passwords are available, storage is secure (FALSE!) • longpre:br1eXN8N3pyAB

  24. Password Attacks • Easy to Hard • Given password • Grab password • Generate password • Guess password

  25. Given Password • Look It Up • Default passwords • Posted passwords • Ask for It (Social Engineering) • As colleague • As friend • As administrator / authority • As clueless & needy • Countermeasures • Education • Other authentication

  26. Grab Password (locally) • Physical proximity • Shoulder surfing • Countermeasures • Education • Exercises • One-time passwords • Program access • Trojan Horse • Perverted program • Countermeasures • Integrity checks • Other authentication

  27. Other Network Attacks • Tapping • Method depends on network medium • Countermeasures: • Encryption • Physical protection & inspection • Van Eck Radiation • Current through wire: Radio waves • Receiver tunes in on hosts/network • Countermeasures: • Encryption • Distance • Emission Control

  28. Generate Password • Use a dictionary • Requires: Scrambled password, Encryption method & Large dictionary • Password Cracking • Natural language words and slang • Backwards / Forwards / Punctuation and Numbers inserted • Program: 27,000 passwords in approx 3 seconds (Pentium II/133) • Countermeasures • Preventive strike (BEWARE) • Password rules • Other authentication

  29. Guess Password • Use knowledge of user • System information • Personal information • Occupation information • Often combined with dictionary attack • Countermeasures • Password rules • Other authentication

  30. Password Changing • When? • Forced or voluntary • Regularly or event driven • Considerations • Increase security? • Fix a stolen password problem • However, stolen passwords are often used quickly • False sense of security • Too frequent password changes encourage • weak passwords • written down passwords

  31. Passwords on Many Machines • One or Many? • Ease of memorization vs. likelihood of writing • Options: • Secure stored passwords • Network authentication method • Algorithm for varying passwords • Seldom used passwords in encrypted file

  32. Something You Have • Convert logical security to physical security • One-time pad • Strip card / smart card • Dongle • Challenge-Response calculator • Problems: Cost & token issuing/handling • Advantages: Physical presence; hard to hack

  33. Smart cards for identification • Hard to duplicate • If weak protocol and a lot at stake, fakes WILL appear • Use of zero-knowledge algorithms • Guarantee valid user but preserves privacy • Attacks on smart cards • Power supply • Chemical stripping • Emissions

  34. Something You Are • Biometrics: Measure physical characteristic • Face geometry • Hand geometry • Fingerprint • Voiceprint • Retinal Scan • Signature • Advantages: Physical presence, not easily lost • Disadvantages: Cost, Security, Variation, Handicaps, Success ratio

More Related