Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.

For the best experience please use the latest Chrome, Safari or Firefox browser.

CIS 115

Lecture 23: Security

How can we keep our data secure?

Image Source: jadikreatif on Flickr

Authentication

  • Ownership Factors - user has
    ID card, badge, token
  • Knowledge Factors - user knows
    PIN, password, response
  • Inherence Factors - user is
    Biometrics

Passwords

Image Source: XKCD

Cracking Passwords - Brute Force

  • aaaaaa
  • aaaaab
  • aaaaac
  • aaaaad
  • aaaaae
  • aaaaaf
  • aaaaag
  • aaaaah
  • aaaaai
  • aaaaaj
  • aaaaak
  • aaaaal
  • aaaaam
  • aaaaan
  • aaaaao
  • aaaaap
  • aaaaaq
  • aaaaar
  • aaaaas
  • aaaaat
  • aaaaau

Cracking Passwords - Lookup Table

  • password
  • 123456
  • 12345678
  • abc123
  • qwerty
  • monkey
  • letmein
  • dragon
  • 111111
  • baseball
  • iloveyou
  • trustno1
  • 1234567
  • sunshine
  • master
  • 123123
  • welcome
  • shadow
  • ashley
  • football
  • jesus

Source: Gizmodo

Rainbow Tables

Password Entropy

Image Source: XKCD

Password Entropy

Image Source: XKCD

Password Entropy

Image Source: XKCD

Storing Passwords Securely

Store the password itself

  • Needed to compromise: database access
  • Accounts compromised: all
  • Relative ease: simple

Storing Passwords Securely

Encrypt all passwords with a key

  • Needed to compromise: database & key (or lookup table)
  • Accounts compromised: all
  • Relative ease: medium

Password Salt

  • Random data added to a password before hashing
  • Protects against dictionary and rainbow table attacks
  • Ensures the password is long enough to be hard to crack

Storing Passwords Securely

Encrypt all passwords with a global salt value

  • Needed to compromise: database, encryption key & salt value
  • Accounts compromised: all
  • Relative ease: harder

Storing Passwords Securely

Encrypt all passwords with a unique salt value

  • Needed to compromise: database, encryption key & salt value
  • Accounts compromised: one at a time
  • Relative ease: really hard

Image Source: XKCD

Social Engineering

Using techniques to compromise a system by exploiting the users directly instead of the system's security

Image Source: Wikipedia

Pretexting

Image Source: Penetration Test Lab

Impersonation

Image Source: 1worder

Image Source: John Gosier on Flickr

Phishing

419 Scams

  • Section 419 of Nigeria's Criminal Code
  • Advance-fee fraud
  • Pay a small sum of money now, they transfer a you large sum of money later

419 Scams

Baiting

Image Source: Wikipedia

Threats

Image Source: XKCD

Combating Social Engineering

  • User Training
  • Security Protocols and Audits
  • Always Questioning Everything
  • Penetration Testing
  • Properly Disposing of Garbage

Social Engineering in Practice

  • "Capture the Flag" style contest held at DEF CON 21
  • Contestant try to gain information about companies via the internet
  • Using that information, they call the company and attempt to gain more information flags for points

Read the Report

Interception Attacks

Intercepting information in order to impersonate another entity or modify the information before it is received

Man in the Middle Attack

Image Source: Wikipedia

Man in the Browser Attack

Image Source: Cronto

Combating Interception Attacks

  • Public Key Authentication
  • Mutual Authentication
  • Latency Examination
  • Second Channel Verification

Malware

  • Virus
  • Ransomware
  • Trojans / Worms
  • Rootkits
  • Keyloggers
  • Spyware
  • Adware
  • Fake Security Software

Morris Worm

Image Source: Wikipedia

Morris Worm

  • Intended to study the size of the internet
  • Caused machines to overload and fail
  • Infected 6000 machines (10% of the internet)
  • First major worm on the internet

Morris Worm

  • Infected machines even if they were already infected 1 out of 7 times
  • Many machines infected multiple times
  • Creator sentenced to 3 years probation and paid $10,000 fine

Image Source: Wikipedia

Conficker

  • January 2009 - 9-15 million infected
  • Fix released in October 2008, but 30% of PCs didn't have it installed by Jan 2009
  • Mid 2011 - 1.7 million infected
  • Many government and corporate networks infected

Stuxnet

Image Source: Wikipedia

Stuxnet

  • Designed to infect Siemens SCADA systems
  • Only targets systems doing a very specific job
  • Sends faulty data to the controller while presenting fake data to the user

Fake AntiVirus

Cryptolocker

Image Source: Geek.com

Cryptolocker

  • Installed via a malicious email attachment
  • Communicates with a server to receive a 2048-bit RSA public key
  • Encrypts documents with public key and holds them ransom
  • Current ransom: 2 bitcoins (~$300)

Software Attacks

Attacking vulnerabilities in the software running on a system to gain access or retrieve secure data

SQL Injection

Image Source: XKCD

SQL Injection

statement := "SELECT * FROM userinfo
               WHERE id = " + a_variable + ";”
a_variable = “1”
SELECT * FROM userinfo WHERE id=1;

SQL Injection

statement := "SELECT * FROM userinfo
               WHERE id = " + a_variable + ";”
a_variable = “1”
SELECT * FROM userinfo WHERE id=1;


statement := "SELECT * FROM userinfo
               WHERE id = " + a_variable + ";”
a_variable = “1;DROP TABLE users;”
SELECT * FROM userinfo WHERE id=1;DROP TABLE users;

SQL Injection

http://books.example.com/showReview.php?ID=5 
SELECT * FROM bookreviews WHERE ID = '5';

SQL Injection

http://books.example.com/showReview.php?ID=5 
SELECT * FROM bookreviews WHERE ID = '5';


http://books.example.com/showReview.php?ID=5 AND 1=1
SELECT * FROM bookreviews WHERE ID = '5' AND '1'='1';

SQL Injection

http://books.example.com/showReview.php?ID=5 
SELECT * FROM bookreviews WHERE ID = '5';


http://books.example.com/showReview.php?ID=5 AND 1=1
SELECT * FROM bookreviews WHERE ID = '5' AND '1'='1';



http://books.example.com/showReview.php?ID=5 AND substring(@@version,1,1)=4
SELECT * FROM bookreviews WHERE ID = '5' AND substring(@@version,1,1)=4;

Buffer Overflow

Image Source: Wikipedia

Buffer Overflow

Image Source: Wikipedia

Why?

Account Access

Image Source: Wikipedia

Botnets

Image Source: Wikipedia

Social Activism / Hactivism

Image Source: Wikipedia

Chaos

Image Source: Wikipedia

Discussion

  • You discovered that there are thousands of devices on the web with an easily exploitable vulnerability on them.
  • The devices themselves can’t do much other than scan other devices and infect them with the same program.
  • You decide to use them to map the entire internet just to see what is out there, and end up with a database of every IP and common open port on the internet.


Is that ethical? Is that legal?
Is that useful information?
Should you be put in jail for this?

It actually happened!

Article on Sophos

Results of the Scan

Image Source: XKCD

Assignments

  • Read and be prepared to discuss:
    • BITS Chapter 4: Needles in the Haystack
    • BITS Chapter 7: You Can't Say That on the Internet
  • Blog 11: Personal Stance on Privacy - Due 11/17 10:00 PM

Blog 11: Personal Stance on Privacy

Privacy is becoming a big issue in Computing Science. Write about your personal stance with regards to your own privacy. Some thought provoking questions:

  • Are you on Facebook because you want to be, or only because your friends are?
  • Do you feel that you have to give out too much information to use services on the internet? Do you mind giving that information out?
  • Are there things that you wouldn’t want to give up, no matter what? (Remember, this on a blog, so don’t give them out here either!)
  • How do you feel about people that disagree? Are they missing out on something by giving away too much or too little information.
  • Do you feel that it is important to be able to be anonymous on the internet? Or should everything be tied back to a particular person?