Presentation is loading. Please wait.

Presentation is loading. Please wait.

ECE-8843 Fall 2004 Prof. John A. Copeland 404 894-5177 fax 404 894-0035 Office:

Similar presentations


Presentation on theme: "ECE-8843 Fall 2004 Prof. John A. Copeland 404 894-5177 fax 404 894-0035 Office:"— Presentation transcript:

1 ECE-8843 Fall 2004 http://www.csc.gatech.edu/copeland/jac/8843/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: GCATT Bldg 579 email or call for office visit, or call Kathy Cheek, 404 894-5696

2 The class Web site is: http://www.csc.gatech.edu/copeland/jac/8843/ or http://users.ece.gatech.edu/~copeland/jac/8843/ On this site you will find: Class calendar (test dates, etc.) Reading assignments (about 20 pages, read before class) Lecture Notes (ppt files to print) Homework assignments (and answers), a Q&A folder Homework assignments will be text files, sent to you by email and posted on the Web. Answers will be edited into them, and they will be returned by email to me. Since these count for your final grade, treat homework assignments like take-home quizzes. Graded versions will be returned to you by email. 2

3 Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) Signed - (non-reputable) Acknowledged - (know it was received) But the data must be accessible to persons authorized to: Read, edit, add, delete Probably over a network, possibly over the Internet. Objectives of Data Security (relative to unauthorized persons) 3

4 * Security Attack: Any action that compromises the security of information. * Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack. * Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms. Attacks, Services, and Mechanisms 4

5 Security Services * Confidentiality (privacy) * Authentication (who created or sent the data) * Integrity (has not been altered) * Non-repudiation (the order is final) * Access control (prevent misuse of resources) * Availability (permanence, non-erasure) - Denial of Service Attacks - Virus that deletes files 5

6 66

7 7

8 Wiring Closet 8

9 Wiring Trough 9

10 10

11 11

12 Security Standards Internet - Internet Engineering Task Force (IETF) De Facto (PGP email security system, Kerberos-MIT) ITU (X.509 Certificates) - not in book - National Institute of Standards and Technology (SHA) IEEE Department of Defense, Nat. Computer Security Center - Tempest (radiation limits) - Orange Book: Class A1, B3, C1, C2,... Export Controls - High Performance Computers - Systems with “Hard” Encryption 12

13 13

14 Virus - code that copies itself into other programs (usually riding on email messages or attached documents (e.g., macro viruses). Payload - harmful things it does, after it has had time to spread. Worm - a program that replicates itself across the network (Sapphire: single UDP packet, MSblast: TCP opened a back-door) Trojan Horse - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net). Logic Bomb - malicious code that activates on an event (e.g., date). Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users. Viruses, Worms, and Trojan Horses 14

15 Have a well-known virus protection program, configured to scan disks and downloads automatically for known viruses. Do not execute programs (or "macro's") from unknown sources (e.g., PS files, HyperCard files, MS Office documents, Java,...), if you can help it. Avoid the most common operating systems and email programs, if possible. Virus Protection 15

16 16 Password Gathering Look under keyboard, telephone etc. Look in the Rolodex under “X” and “Z” Call up pretending to from “micro-support,” and ask for it. “Snoop” a network and watch the plaintext passwords go by. Tap a phone line - but this requires a very special modem. Use a “Trojan Horse” program or “key catcher”to record key stokes.

17 17 The Stages of a Network Intrusion 1. Scan the network to: locate which IP addresses are in use, what operating system is in use, what TCP or UDP ports are “open” (being listened to by Servers). 2. Run “Exploit” scripts against open ports 3. Get access to Shell program which is “suid” (has “root” privileges). 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. 5. Use IRC (Internet Relay Chat) to invite friends to the feast.

18 18 Application Layer (HTTP) Transport Layer (TCP,UDP) Network Layer (IP) E'net Data Link Layer Ethernet Phys. Layer Network Layer E'net Data Link Layer E'net Phys. Layer Network Layer Web Server Browser Router-Firewall can drop packets based on source or destination, ip address and/or port Application Layer (HTTP) Transport Layer (TCP,UDP) Network Layer (IP) Token Ring Data-Link Layer Token Ring Phys. Layer IP Address 130.207.22.5 IP Address 24.88.15.22 Port 80 Port 31337 Segment No. Token Ring Data Link Layer Token Ring Phys. Layer

19 IP Zone-Access Control /etc/hosts.deny ALL:ALL /etc/hosts.allow in.telnetd: 199.77.146 24.88.154.17 in.ftpd: 199.77.146.19 199.77.146.102 UNIX and Linux computers allow network contact to be limited to individual hosts or subnets (199.77.146 means 199.77.146.any). Above, telnet connection is available to all on the 199.77.146.0 subnet, and a single off-subnet host, 24.88.154.17 FTP service is available to only to two local hosts,.19 and.102. The format for each line is “daemon:host-list” 19

20 IP Zone-Access Control /etc/hosts.deny ALL:ALL /etc/hosts.allow in.telnetd: 199.77.146 24.88.154.17 in.ftpd: 199.77.146.19 199.77.146.102 UNIX and Linux computers allow network contact to be limited to individual hosts or subnets (199.77.146 means 199.77.146.any). Above, telnet connection is available to all on the 199.77.146.0 subnet, and a single off-subnet host, 24.88.154.17 FTP service is available to only to two local hosts,.19 and.102. The format for each line is “daemon:host-list” 20

21 From "PGP Freeware for MacOS, User's Guide" Version 6.5, Network Associates, Inc., www.pgp.com 21 PGP (Pretty Good Privacy) -> GPG

22 22 Access Control Today almost all systems are protected only by a simple password that is typed in, or sent over a network in the clear.Techniques for guessing passwords: 1. Try default passwords. 2. Try all short words, 1 to 3 characters long. 3. Try all the words in an electronic dictionary(60,000). 4. Collect information about the user’s hobbies, family names, birthday, etc. 5. Try user’s phone number, social security number, street address, etc. 6. Try all license plate numbers (123XYZ). Prevention: Enforce good password selection (c0p31an6)

23 23 Kerberos


Download ppt "ECE-8843 Fall 2004 Prof. John A. Copeland 404 894-5177 fax 404 894-0035 Office:"

Similar presentations


Ads by Google