Download presentation
Presentation is loading. Please wait.
1
Computer Security and Authentication
CS 5352 Spring 06
2
Software Engineering Institute
Federally funded, sponsored by DoD Operated by Carnegie Mellon University About 400 employees Wants a smooth transfer of new Software Engineering Technology into practice Technical theme: Move left Reuse everything Never make the same mistake twice
3
CERT Coordination Center
Overview Part of the SEI Formed by DARPA, 1988, after the worm incident About 100 employees 3,784 vulnerability reports (2003) 137,529 computer security incidents (2003) Purpose Analyse trends in attacks, vulnerabilities, impact Coordinate responses to security attacks Methods to evaluate, improve, maintain security Publish, disseminate good security practices
4
Survivability The ability of a system to fulfill its mission, in a timely manner, in the presence of attacks, accidents, and failures
5
Critical Need for Information Assurance Incidents Reported to the CERT/CC
The number of attacks on networked computers increases every year. Sensitive information is regularly compromised. There is a critical need to improve the way we manage risk and manage our systems to reduce the chance of attack or the amount of damage.
6
Critical Need for Information Assurance Vulnerabilities Reported to the CERT/CC
The number of attacks on networked computers increases every year. Sensitive information is regularly compromised. There is a critical need to improve the way we manage risk and manage our systems to reduce the chance of attack or the amount of damage.
7
Critical Need for Indications and Warnings
Novice Intruders Use Crude Exploit Tools Automated Scanning/Exploit Tools Developed Crude Exploit Tools Distributed Widespread Use of Automated Scanning/Exploit Tools Intruders Begin Using New Types of Exploits Advanced Intruders Discover Vulnerability The graph indicates the cycle of vulnerability exploitation. New attack techniques are well automated and use the distributed nature of the Internet; they can reach tens of thousands of computers in minutes or hours, where it once took weeks or months. This fast exploitation limits the time security experts like those at the CERT/CC have to analyze the problem and warn the Internet community. Likewise, system administrators and users have little time to protect their systems. They won’t have time to act in the future unless they have advanced indications and warnings. Thus, there is a critical need for advanced indications and warnings.
8
Critical Need for Indications and Warnings
This is another view of the critical need for the work being done at the SEI. New attack techniques are well automated and use the distributed nature of the Internet; they can reach tens of thousands of computers in minutes or hours, where it once took weeks or months. This fast exploitation limits the time security experts like those at the CERT/CC have to analyze the problem and warn the Internet community. Likewise, system administrators and users have little time to protect their systems. They won’t have time to act in the future unless they have advanced indications and warnings. Thus, there is a critical need for advanced indications and warnings.
9
Critical Need for Better Engineering Methods
Resistance, recognition, and response must be integrated into the system and application architecture
10
Network protocols Designed for Arpanet, over 20 years ago
But still used nowadays, under a totally different environment
11
A Different Internet Armies may cease to march
Stock may lose a hundred points Businesses may be bankrupted Individuals may lose their social identity Threats not from novice teenagers, but purposeful military, political, and criminal organizations
12
Why Should You Be Concerned
Personal data Credit information Medical information Purchasing history Corporate information Political information Societal infrastructure
13
Computer Vulnerability (2001)
Out-of-the-box Linux PC hooked to Internet, not announced: [30 seconds] First service probes/scans detected [1 hour] First compromise attempts detected [12 hours] PC fully compromised: Administrative access obtained Event logging selectively disabled System software modified to suit intruder Attack software installed PC actively probing for new hosts to intrude Clear the disk and try again!
14
Motivations to Violate Security
Ego Curiosity Greed Revenge Competition Political/Ideological
15
People and Computer Crime
Most damage not due to attacks “Oops!” “What was that?” No clear profile of computer criminal Law and ethics may be unclear
16
Types of Attackers Script Kiddies Old-line hackers
Disgruntled Employees Organized Crime Corporate Espionage Foreign Espionage Terrorists
17
Buffer overflow The most important avenue for vulnerabilities
Good programming practice: always verify that the input you receive from uncontrolled source conforms to expected format
18
Buffer overflow example
rlogin program main(argc,argv) int argc; char *argv[]; { … char term[1024]; ... (void)strcpy(term, (p = getenv(“TERM”)) ? p: “network”); }
19
Authentication Four classic ways to authenticate:
something you know (passwords) something you have (smartcard) something you are (fingerprint) something you do (usage signature) None of these is perfect
20
Identity theft Fastest rising crime in the US
FBI won’t help unless losses above $100,000. Someone can steal an identity with just a social security number!!!
21
Passwords Account - person using the system
Username - Identity of account (public) limited characters, alphanumeric & special characters typically related to real name of user (not always), certain names reserved unique on system fixed at account creation Passwords – Verification of identity (private) Less limited length and characters Fixed until changed Non-unique passwords – (both users have bad password) Many Multi-user Operating Systems have same scheme
22
Password Security Password security depends on ONLY you knowing the password Secure selection Secure handling Secure storage
23
Password Storage “trapdoor encrypted” longpre:br1eXN8N3pyAB
scrambled in a way that cannot be unscrambled scrambling folds password over itself - lost bits different users with same password won’t have same scrambled password login scrambles entered password and compares against stored scrambled password original concept: since only scrambled passwords are available, storage is secure (FALSE!) longpre:br1eXN8N3pyAB
24
Password Attacks Easy to Hard Given password Grab password
Generate password Guess password
25
Given Password Look It Up Ask for It (Social Engineering)
Default passwords Posted passwords Ask for It (Social Engineering) As colleague As friend As administrator / authority As clueless & needy Countermeasures Education Other authentication
26
Grab Password (locally)
Physical proximity Shoulder surfing Countermeasures Education Exercises One-time passwords Program access Trojan Horse Perverted program Integrity checks Other authentication
27
Other Network Attacks Tapping Van Eck Radiation
Method depends on network medium Countermeasures: Encryption Physical protection & inspection Van Eck Radiation Current through wire: Radio waves Receiver tunes in on hosts/network Distance Emission Control
28
Generate Password Use a dictionary
Requires: Scrambled password, Encryption method & Large dictionary Password Cracking Natural language words and slang Backwards / Forwards / Punctuation and Numbers inserted Program: 27,000 passwords in approx 3 seconds (Pentium II/133) Countermeasures Preventive strike (BEWARE) Password rules Other authentication
29
Guess Password Use knowledge of user
System information Personal information Occupation information Often combined with dictionary attack Countermeasures Password rules Other authentication
30
Password Changing When? Considerations Forced or voluntary
Regularly or event driven Considerations Increase security? Fix a stolen password problem However, stolen passwords are often used quickly False sense of security Too frequent password changes encourage weak passwords written down passwords
31
Passwords on Many Machines
One or Many? Ease of memorization vs. likelihood of writing Options: Secure stored passwords Network authentication method Algorithm for varying passwords Seldom used passwords in encrypted file
32
Something You Have Convert logical security to physical security
One-time pad Strip card / smart card Dongle Challenge-Response calculator Problems: Cost & token issuing/handling Advantages: Physical presence; hard to hack
33
Smart cards for identification
Hard to duplicate If weak protocol and a lot at stake, fakes WILL appear Use of zero-knowledge algorithms Guarantee valid user but preserves privacy Attacks on smart cards Power supply Chemical stripping Emissions
34
Something You Are Biometrics: Measure physical characteristic
Face geometry Hand geometry Fingerprint Voiceprint Retinal Scan Signature Advantages: Physical presence, not easily lost Disadvantages: Cost, Security, Variation, Handicaps, Success ratio
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.