Upload
britton-page
View
216
Download
1
Tags:
Embed Size (px)
Citation preview
CS363Week 1 - Wednesday
Last time
What did we talk about last time? Course overview Terminology
Threats Vulnerabilities Attacks Controls
CIA
Questions?
Security Tidbit: Patch Tuesday! Yesterday was Patch Tuesday
Microsoft, Oracle, and Adobe put out their patches on the second Tuesday of the month
Oracle (Java's owner) only puts them out quarterly
Are these patches available for Java 6? No! Unless you have an expensive support
license from Oracle And this lab has Java 6!
Security tidbit continued
Welcome to Exploit Wednesday! Because the patches on Patch Tuesday are
often to fix security holes, today is one of the most dangerous days for computer security All the hackers now know exactly what
vulnerabilities can be attacked 36 of the fixes will be for Java 7 SE products
34 of these cover remote exploits without authentication
Follow the story: http://www.zdnet.com/oracle-to-patch-java-other-
products-tuesday-7000025023/
Computer Criminals
Amateurs
Most computer criminals are amateurs
They commit crimes of opportunity Time-stealing is common Disgruntled or recently fired
employees can use their knowledge of a system to attack it
Crackers
You are all hackers by now A malicious hacker is called a
cracker A large segment of crackers are high
school or college students They often attempt to gain access to
other people’s computer systems for the fun or challenge of it
Career Criminals
Most professional crackers are trained computer scientists who have turned to crime
In the early days of hacking and viruses, destroying hardware, software, or data was the goal
Professional crackers now look to make money by stealing valuable data
There are connections to organized crime Many attacks come from Russia, Asia, and
Brazil
Terrorists
Modern terrorists are often computer savvy Three common forms of terrorist computer
usage are: Targets of attack
Denial-of-service and defacement of websites Propaganda vehicles
Websites and e-mail lists used to disseminate information
Methods of attackUsing computers to coordinate or initiate other forms of terrorism
Methods of Defense
Methods
There are five common ways of dealing with attacks, many of which can be used together
Prevent• Remove the vulnerability from the system
Deter• Make the attack harder to execute
Deflect• Make another target more attractive (perhaps
a decoy)Detect• Discover that the attack happened,
immediately or later
Recover• Recover from the effects of the attack
Controls
Many different controls can be used to achieve the five methods of defense
Encryption
Encryption is the scrambling of data Often a key or some other secret information
is used to do the scrambling Without knowledge of the secret, the data
becomes useless Modern encryption is one of the most
powerful tools for preserving computer security
Most modern attacks do not depend on breaking encryption but on circumventing it
Encryption
The process of encryption takes plaintext as an input and produces ciphertext as an output
Plaintext (or cleartext) is not necessarily human readable, but its contents are not protected in any way
Using cryptography, we can build protocols to support confidentiality and integrity (and even availability indirectly)
As useful as it is, encryption is not a panacea
Software controls
Software controls include: Internal program controls▪ Parts of a program that enforce security▪ Example: password checking to access parts of a database
OS and network controls▪ Tools to protect users from each other▪ Example: user files that cannot be accessed by other users)
Independent control programs▪ Application programs that protect against specific
vulnerabilities▪ Example: virus scanners
Development controls▪ Quality control for creating software so that vulnerabilities are
not introduced
Hardware controls
There are many different kinds of hardware controls that can be used for many different situations: Smart cards used for encryption on
satellite or cable television set-top boxes Locks and cables preventing theft Fingerprint or other biometric readers Firewalls Many others
Policies and procedures
Human beings ultimately get involved It is important to have policies and
procedures to guide their actions, such as: Change passwords regularly Don’t give people your password Don’t allow coworkers access to data they
should not have Laws are important policies with
consequences, but they react slowly to the rapid changes in technology
Physical controls
Physical controls can be inexpensive and effective Locks on doors Security guards Backup copies of data Planning for natural disasters and fires
Simple controls are often the best Attackers will always look for a weak
point in your defenses
Effectiveness of controls
Many issues impact the effectiveness of controls Awareness of problem
Users must be convinced that it is worth using the controls Likelihood of use
The controls must be easy enough to use that the task performed is not seriously affected
Overlapping controlsOverlapping controls or a layered defense can help, but sometimes the controls negatively impact each other
Periodic reviewConditions change, and controls must be reviewed periodically and updated when needed
Cryptography
Cryptography
"Secret writing" The art of encoding a message so
that its meaning is hiddenCryptanalysis is breaking those
codes
Encryption and decryption
Encryption is the process of taking a message and encoding it
Decryption is the process of decoding the code back into a message
A plaintext is a message before encryption
A ciphertext is the message in encrypted form
A key is an extra piece of information used in the encryption process
Notation
A plaintext is M (sometimes P) A ciphertext is C The encryption function E(x) takes M and
converts it into C E(M) = C
The decryption function D(x) takes C and converts it into M D(C) = M
We sometimes specify encryption and decryption functions Ek(x) and Dk(x) specific to a key k
Attacks
Cryptography is supposed to prevent people from reading certain messages
Thus, we measure a cryptosystem based on its resistance to an adversary or attacker
Kinds of attacks: Ciphertext only: Attacker only has access to an
encrypted message, with a goal of decrypting it Known plaintext: Attacker has access to a plaintext
and its matching ciphertext, with a goal of discovering the key
Chosen plaintext: Attacker may ask to encrypt any plaintext, with a goal of discovering the key
Others, less common
Cryptanalysis
There are two kinds of security for encryption schemes Unconditionally secure▪ No matter how much time or energy an attacker has, it is impossible
to determine the plaintext Computationally secure▪ The cost of breaking the cipher exceeds the value of the encrypted
information▪ The time required to break the cipher exceeds the useful lifetime of
the information We focus on computationally secure, because there is
only one practical system that is unconditionally secure
"I want them to remain secret for as long as men are capable of evil" -Avi from Cryptonomicon
Modular Arithmetic Overview
Review of Modular Arithmetic Modulo operator takes the remainder Two numbers are said to be congruent
modulo n if they have the same remainder when divided by n
For example,39 3 (mod 12)
Addition, subtraction, and multiplication: [(a mod n) + (b mod n)] mod n = (a + b) mod n
[(a mod n) – (b mod n)] mod n = (a – b) mod n [(a mod n) x (b mod n)] mod n = (a x b) mod n
Divided and Conquered
We can’t actually divide Instead, we have to find the
multiplicative inverse The multiplicative inverse of x exists if
and only if x is relatively prime to n 13 ∙ 5 65 1 (mod 16) So, 13 and 5 are multiplicative inverses
mod 16 But, 0, 2, 4, 6, 8, 10, and 12 do not have
multiplicative inverses mod 16
Sign up for Presentations
Upcoming
Next time…
Cryptography basics Stream and block ciphers Shift ciphers
Reminders
Read Sections 2.1 and 2.2