Presentation is loading. Please wait.

Presentation is loading. Please wait.

MIS 5211.001 Week 8 Site:

Published byDustin Joseph Modified over 9 years ago

Similar presentations

Presentation on theme: "MIS 5211.001 Week 8 Site:"— Presentation transcript:

1 MIS 5211.001 Week 8 Site: http://community.mis.temple.edu/mis5211sec001f14/ http://community.mis.temple.edu/mis5211sec001f14/

2  In the news  Student Presentations  Social Engineering  Encryption  Encoding 2MIS 5211.001

3  Submitted  http://www.techrepublic.com/article/social- engineering-audits-on-the-rise-what-this-means-for- cios-and-csos/ http://www.techrepublic.com/article/social- engineering-audits-on-the-rise-what-this-means-for- cios-and-csos/  http://krebsonsecurity.com/2014/10/signed- malware-is-expensive-oops-for-hp/#more-28253 http://krebsonsecurity.com/2014/10/signed- malware-is-expensive-oops-for-hp/#more-28253  http://nakedsecurity.sophos.com/2014/10/14/dro pbox-passwords-leaked-third-party-services- blamed/ http://nakedsecurity.sophos.com/2014/10/14/dro pbox-passwords-leaked-third-party-services- blamed/  http://www.securityweek.com/atm-malware- allows-attackers-steal-millions http://www.securityweek.com/atm-malware- allows-attackers-steal-millions  http://systemstatus.temple.edu/system/status http://systemstatus.temple.edu/system/status 3MIS 5211.001

4 4

5  What I noted  http://googleonlinesecurity.blogspot.com.au/2014/ 10/this-poodle-bites-exploiting-ssl-30.html http://googleonlinesecurity.blogspot.com.au/2014/ 10/this-poodle-bites-exploiting-ssl-30.html  http://www.bloomberg.com/news/2014-10- 14/hackers-shake-confidence-in-1980s-free-software- idealism.html http://www.bloomberg.com/news/2014-10- 14/hackers-shake-confidence-in-1980s-free-software- idealism.html  http://www.net- security.org/secworld.php?id=17488 (DropBox Non- Hack or Don’t reuse IDs and Passwords) http://www.net- security.org/secworld.php?id=17488  http://www.esecurityplanet.com/open-source- security/veracrypt-a-worthy-truecrypt- alternative.html http://www.esecurityplanet.com/open-source- security/veracrypt-a-worthy-truecrypt- alternative.html MIS 5211.0015

6  Definition  Getting people to do what you want  Alternatively  Psychological manipulation of people into performing actions or divulging confidential information. - wikipedia.org  Or  Social engineering exploits people's emotions and their desire to help others – malware.wikia.com MIS 5211.0016

7  Confidence  Act like you belong there  Friendliness  Make people want to help you  Appearance  Dress for the part MIS 5211.0017

8  Can take a number of forms  Pretexting  Phishing  Spear Phishing  Vishing  Tailgating  Quid Pro Quo  Baiting  Diversion Theft MIS 5211.0018

9  Inventing a scenario  Do some recon  Speak the language  Impersonate someone who should be there  Give information outsider would not have  Legitimate name of supervisor or department  Reference correct office location  Project name or internal initiative  Pretend to be police, FBI, TSA, or Homeland Security  Note: this is a crime all by itself MIS 5211.0019

10  Email  Again, starts with Recon  Send legitimate looking email  Request verification of information and warn of consequences for non-compliance  Link to fraudulent web site  Note: Larger organizations pay for monitoring services to catch this MIS 5211.00110

11  Similar to phishing, but much more targeted  Heavy recon  Identify just the right target or targets  Executive  IT Admins  Accounts payable  Create content very specific to Target(s) MIS 5211.00111

12  Often used to deliver malware  Tempting attachments:  New bonus plan  Layoff list  Memorial notice for recently passed employee  Web sites that deliver promised content  But infect browser MIS 5211.00112

13  Similar to phishing, but by phone or fraudulent IVR  VOIP can be used to falsify source phone number (Caller ID Spoofing)  Swatting – Initiating a police raid MIS 5211.00113

14  May or May Not be Social Engineering  People feel a need to “Hold the door”  Especially problematic in the south eastern US  Even man traps and roto-gates can be gotten around  Show up with large packages or boxes  Ask security for help MIS 5211.00114

15  Call into company claiming to be Tech Support  May take a number of calls  Eventually you will hit someone that actually called for support  Help them (Sort of)  They’ll follow your directions  Type commands  Download software  Provide data MIS 5211.00115

16  Spread USBs around parking lots  Mail official looking CDs  Send a token desk toy (with WiFi repeater installed)  Replacement mouse (with malware preloaded)  MP3 player MIS 5211.00116

17  Fake ATM  Intercept delivery man  “Borrow” a FedEx or UPS truck and make a pickup MIS 5211.00117

18  More of a recon technique then actual Social Engineering  Gold Standards of Dumpster Diving  Yellow Sticky  Hand written notes MIS 5211.00118 $

19 MIS 5211.00119

20  Couple of points up front  Real “Standards based” encryption is hard to break  Proprietary encryption is usually not as hard to break  When encryption is broken, it is usually the implementation, not the cypher suite that is broken  Example: WEP and RC4  Regardless of encryption, the computer has to decrypt the data to act on it. Therefore, clear text data is in memory  Also true of browsers, browser must decrypt to act MIS 5211.00120

21  Algorithm – Mathematical rules used to encrypt and decrypt  Ciphertext – The encrypted data  Encipher – Encrypting  Decipher – Decrypting  Key – Sequence of bits and instruction that governs encryption and decryption  Plaintext – Unencrypted data MIS 5211.00121

22  Symmetric – Both parties use the same key  Anyone with a key can encrypt and decrypt  Relatively fast, less intensive to use  Asymmetric – Keys a linked mathematically, but cannot be derived from each other  What one key encrypts, the other key decrypts  Works both ways  Also known as a key pair and associated with PKI or public key encryption  Relatively slow, resource intensive MIS 5211.00122

23  Block Ciphers  Data is broken in to blocks  Blocks are encrypted/decrypted individually  Stream Cipher  Message is not broken up  Encrypted/decrypted one bit at a time MIS 5211.00123

24  DES  3DES  AES or Advanced Encryption Standard  Blowfish MIS 5211.00124

25  RC4  RSA  El Gamal  ECC or Elliptic Curve Cryptosystems MIS 5211.00125

26  A “Hybrid” encryption method  Symmetric key is used to perform bulk encryption/decryption of data  Asymmetric keys are used to pass the symmetric key securely MIS 5211.00126

27  Basically just a secret key that is only used for one session between users (or systems) and is then disposed of. MIS 5211.00127

28  Comprehensive process including:  Programs  Data formats  Procedures  Protocols  Policies  Mechanisms  All working together to secure communications MIS 5211.00128

29  Certificate Authority (CA)  Issues public keys  Verifies you are who you say you are and provides certificate to prove it that can only come from a secret key you posses  Registration Authority (RA)  Performs registration activities for a CA MIS 5211.00129

30  Provides for message integrity  Mathematical value calculated from data that cannot be reversed  Sender and receiver can both calculate the value and verify that the data sent is the data received MIS 5211.00130

31  Encrypted hash value  Data sent is data received  Data can only have come from someone with the appropriate key(s)  Reference: CISSP Certification, Shon Harris MIS 5211.00131

32  Only one cipher is truly unbreakable  One-Time Pad  Each pad is only used once  Pad is XORd against cleartext data  Ciphertext is XORd against pad at receiver  Generally not used due to difficulty in distributing non-recurring pads MIS 5211.00132

33  Longer keys are better  Keys need to be protected  Keys should be extremely random and use full spectrum of keyspace MIS 5211.00133

34  Encoding is NOT encrypting  Perfect example: Base64 encoding  Well known  Reversible  Provide limited obfuscation  Other examples  Morse code  ASCII  UTF-8, 16, 32  EBCIDIC  Unicode MIS 5211.00134

35  Often used incorrectly as a substitute for encryption  Some “proprietary” encryption systems were nothing more then Base64 or Base64 with character substitution  Even if you don’t recognize the encoding it is easily “cracked” with frequency analysis MIS 5211.00135

36  We will see this again when we cover Web applications and intercepting proxies  Base64 encoding is often used as an obfuscation technique MIS 5211.00136

37  Readings and Articles as usual  We will be covering  Malware MIS 5211.00137

38 ? MIS 5211.00138

Download ppt "MIS 5211.001 Week 8 Site:"

Similar presentations

II.I Selected Database Issues: 1 - SecuritySlide 1/20 II. Selected Database Issues Part 1: Security Lecture 2 Lecturer: Chris Clack 3C13/D6.

II.I Selected Database Issues: 1 - SecuritySlide 1/20 II. Selected Database Issues Part 1: Security Lecture 2 Lecturer: Chris Clack 3C13/D6.
NSRC Workshop Some fundamental security concerns... Confidentiality - could someone else read my data? Integrity - has my data been changed? Authentication.

NSRC Workshop Some fundamental security concerns... Confidentiality - could someone else read my data? Integrity - has my data been changed? Authentication.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Encryption Matches Domain 4.0 Basics of Cryptography (15 percent of Security +) Network Security Class Dr. Kleist Note: Most material from Harris, Shon.

Encryption Matches Domain 4.0 Basics of Cryptography (15 percent of Security +) Network Security Class Dr. Kleist Note: Most material from Harris, Shon.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
Cryptography.

Cryptography.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
Cryptography Basic (cont)

Cryptography Basic (cont)
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.

Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
1 Chap 1: Introduction Some background –The message is usually represented as M or P (plaintext), the encryption result is usually represented as C (ciphertext).

1 Chap 1: Introduction Some background –The message is usually represented as M or P (plaintext), the encryption result is usually represented as C (ciphertext).
Cryptography April 20, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.
Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.

Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.

03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
TrustPort Public Key Infrastructure. WWW.TRUSTPORT.COM Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
Encryption Methods By: Michael A. Scott 20140508.

Encryption Methods By: Michael A. Scott

Similar presentations

Ads by Google