Bernard Menezes Department of Computer Science IIT Bombay.

Slides:



Advertisements
Similar presentations
Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Advertisements

Unit 1 Living in the Digital WorldChapter 1 Lets Communicate Internet Safety.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Lecture 23 Internet Authentication Applications
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Security Issues and Challenges in Cloud Computing
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Objectives  Give examples of common network.
WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Computer Security and Penetration Testing
“Electronic Payment System”
1 Web Services Security XML Encryption, XML Signature and WS-Security.
 ENGR 1110 Introduction to Engineering – Cyber Security Allison Holt, Adam Brown Auburn University.
OWASP Mobile Top 10 Why They Matter and What We Can Do
SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 
Securing Information Systems
1 Kyung Hee University Prof. Choong Seon HONG Network Control.
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Cyber Crimes.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Security+ Guide to Network Security Fundamentals, Fourth Edition
Trojan Horses on the Web. Definition: A Trojan horse a piece of software that allows the user think that it does a certain task, while actually does an.
Types of Electronic Infection
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.
Lecture 20 Hacking. Over the Internet Over LAN Locally Offline Theft Deception Modes of Hacker Attack.
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.
©Ian Sommerville 2004Software Engineering Case Studies Slide 1 The Internet Worm Compromising the availability and reliability of systems through security.
Topic 5: Basic Security.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Computer Security By Duncan Hall.
Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.
Role Of Network IDS in Network Perimeter Defense.
Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.
Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.
Electronic Banking & Security Electronic Banking & Security.
Week-14 (Lecture-1) Malicious software and antivirus: 1. Malware A user can be tricked or forced into downloading malware comes in many forms, Ex. viruses,
 Computer Network Attack  “… actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers.
Chapter 40 Internet Security.
Chapter 7: Identifying Advanced Attacks
World Wide Web policy.
PAYMENT GATEWAY Presented by SHUJA ASHRAF SHAH ENROLL: 4471
Securing Information Systems
Teaching Computing to GCSE
Lecture 2 - SQL Injection
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Presentation transcript:

Bernard Menezes Department of Computer Science IIT Bombay

Goals To put cryptography, network security, system security and application security in perspective To sample trends and/or challenges in cryptography and network security

Computer Security in perspective Information Security Network Security System Security Application Security Operating System Security Database Security Language Security

Cryptography Generally considered part of Network Security Vast and intense subject and has emerged as a course/research area in its own right Requires mathematical prerequisites – Number Theory, Discrete math (groups, rings, fields, etc.)

Pursuit of Mathematics One may develop mathematical theory with no apparent goal in mind (math for math sake) Decades/centuries later, scientists and engineers may stumble upon some excellent applications of mathematical theories Examples – the use of differential equations in the analysis of electrical circuits, the use of number theory and discrete math in cryptography

Useful math background for cryptography Modulo arithmetic and the gcd Euclid’s algorithm Euler’s Theorem and Fermat’s Little Theorem Lagrange’s Theorem Chinese Remainder Theorem Theorems related to subgroups, generators, etc.

Security, Mathematics, Security Is Cryptography = Security? Is Cryptography a subset of Applied Mathematics?

But, a word of caution! “ Whoever thinks his problem can be solved using cryptography, doesn’t understand his problem and doesn’t understand cryptography ” - Source unknown

What is Security about (in the technical sense) (Goals of the hacker/attacker/adversary) Attacks Vulnerabilities Defences

Some Attack Goals Theft of sensitive information (example, credit card information) Disruption of service (rendering a service inaccessible or unavailable) Information Warfare (attacking infrastructure of an “enemy” country) Illegal access to or use of resources (circumventing controls so as to gain unauthorized access)

Attacks, Attacks, Attacks!

Who commits what?

“ Once we know our weaknesses, they cease to do us any harm” - Georg Christoph Lichtenberg

Vulnerabilities A vulnerability is a weakness or lacuna in a policy, procedure, protocol, hardware or software within an organization that has the potential to cause it damage or loss.

Vulnerability Types Human Vulnerabilities – Induced by careless/unthinking human behaviour – Ex. clicking on a link in an message from a questionable source – Related to phishing and cross-site scripting attacks

Vulnerability Types (contd.) Protocol Vulnerabilities – Attacks on commonly used networking protocols such as TCP, IP, ARP, ICMP and DNS – Ex. Connection hijacking caused by ARP spoofing, etc. – Denial of Service Attacks (DoS) which exploit the 3-way TCP handshake – Pharming attacks exploit vulnerabilities in DNS

Vulnerability Types (contd.) Software Vulnerabilities – Caused by sloppy software – Software may perform as expected under normal conditions but when provided with a specific input, it turns malicious – Examples include Buffer Overflow vulnerability, Cross-site Scripting (XSS) vulnerability and SQL Injection vulnerability

Vulnerability Types (contd.) Configuration Vulnerabilities – relate to settings on system/application software, on files, etc. – Read-write-execute (and other) permissions on files (and other objects) may be too generous. – Privilege level assigned to a process may be higher than what it should be to carry out a task. – Often lead to “privilege escalation” attacks.

Advice to a Security Designer “ You can’t make something secure if you don’t know how to break it” - Marc Weber Tobias

Defence Strategies  Prevention  Detection  Recovery  Forensics/Traceback

Examples of Preventive Strategies Code Auditing and Testing (against software flaws) – Blackbox – Whitebox Access Control (against unauthorized access) – Authentication – Authorization Encryption (against eavesdropping)

Examples of Detection Integrity checks on messages, files – Simple CRC-type checksums not effective for security applications – Use of the Message Authentication Code (MAC) Intrusion detection systems based on – Anomaly detection – Signature detection

Trends and Challenges in Cryptography – Identity-based Cryptography – Secure Group Communication – Green Cryptography – Quantum Cryptography

Trends and Challenges in Security Defense against botnets Application software security Web services security Electronic payment Electronic passports

Web Services Security

Web apps versus web services Many of the earlier web applications (such as internet banking) involved human-to-program interaction. However, applications such as supply chain management differ from traditional web applications in several significant respects: Programs communicate with each other over the web with little or no human intervention.

Web apps versus web services (contd.) Services might have a composite nature. Such “composite services” necessitate the involvement of multiple providers, each providing an “atomic service”. There are potentially a large number of “atomic service” providers offering a given service. So clients have a choice and can dynamically change providers.

Web Services The World-wide Web Consortium, W3C, defines a web service as “a software system identified by a URI whose public interfaces and bindings are defined and described using XML. Its definition can be discovered by other software systems. These systems may then interact with the web service in a manner prescribed by its definition using XML-based messages conveyed by internet protocols”.

Entities involved in a web service

Security Challenges Specific to Web Services SSL/TLS, IPSec are some of the common ways of securing web communication However, these are point-to-point protocols. Web services require fine-grained security SSL does not support non-repudiation SSL operates at the transport level. What we need is a protocol that understands a message.

Standards for Web Services Security XML Digital Signature XML Encryption WS-Sec SAML (Secure Assertion Markup Language) XACML (eXtensible Access Control Markup Language)

Standards for Web Services Security (contd.) WS-Policy XKMS (XML Key Management Specification) WS-Trust WS-Federation

XML Digital Signature Provides authentication, data integrity (tamperproofing) and non-repudiation Very flexible – Can sign one or more items within an XML document – Supports multiple signers (ex. business partners) – Can sign both local and remote objects, XML and non-XML content – Support for multiple signing algos + digest algos + canonicalization methods.

WS-Sec  Defines XML elements that are used to communicate security tokens in the header of a SOAP message within the header.  A security claim is a statement made about a subject’s identity, signing key, etc.  One or more claims is/are represented by a security token.  Common examples of security tokens are a username + password, an X.509 certificate, a Kerberos ticket or a SAML assertion.

WS-Sec Token Example Shivani 4u%h&+q:L...

WS-Sec Binary Token < BinarySecurityToken ValueType = “... X509v3” EncodingType = “... Base64Binary” > Lp9tba4Pc7G...

Security Assertion Markup Language (SAML) designed to support single sign-on and propagate authorization information SAML defines three basic components: Assertions – Authentication – Attribute – Authorization

SAML Authenticating Assertion … …

WS-Security Specifications

Application Security

Attacks that exploit software vulnerabilities Buffer Overflow Cross-site Scripting SQL Injection Format String... Some of these are on the Top-10 list of risks brought out by OWASP What about malware attacks?

Buffer Overflow (BOF) The BOF vulnerability is one of the oldest and, by far, the most common of software vulnerabilities. As early as 1988, the Morris worm was one of the first to exploit this vulnerability. Since then, many creative ways of converting such a vulnerability into an exploit have been devised.

Buffer Overflow (BOF) contd. A buffer overflow (BOF) occurs when the space allocated to a variable (typically an array or string variable) is insufficient to accommodate the variable in its entirety. For example, a certain amount of buffer space is allocated for an array. If array bounds are not checked while populating it, the array may overflow into contiguous memory and corrupt it. Interestingly, this could cause an attacker to subvert the normal flow of a program. Malicious code supplied by the attacker in the buffer could be executed.

Exploiting Stack Overflows Provide input to a buffer on the stack which includes malicious code (often called shellcode) Overflow the buffer so that the return address to the calling program is overwritten with the address of the malicious code That way, when the called function terminates, it will not return to the calling program. Instead, the malicious code will be executed

Buffer Overflow Defences There are many defences against BOF. Some of the best known are – Make the stack non-executable. This prevents malicious code on the stack from being executed. However, exploits like return into LibC are still possible – Compiler-based option: Place a “canary variable” on the stack between the local variables and the return address. If a BOF modifies the return address, the canary will be corrupted. This will be detected by the compiler and the program will be aborted.

Related Attacks Heap Overflow: A program’s dynamically allocated variable are stored on the heap. Buffers in this area may also be overflown leading to Heap buffer overflow attacks. Format String Attacks: C language printf( ), for example, uses a format string as function parameter. An attacker may pass a malicious string as input parameter enabling the attacker to read or write arbitrary locations in memory.

Cross-site Scripting Attacks A web site is said to have a cross-site scripting vulnerability if it inadvertently includes malicious scripts crafted by an attacker in pages returned by it. For example, Malicious Code The malicious code may, for example, read browser cookies on the victim’s machine and ship these off to an attacker’s web server

Persistent XSS Attack The malicious code (scripts) on a web page is saved on the web server. When an innocent user downloads the web page, the malicious scripts execute on that user’s browser. Example: Users update their profile on a social networking site. These profiles may be read (downloaded) by other users through their browsers

Non-persistent XSS Attack Exploits the fact that some servers echo back certain user input back to the client without validating it For example, a user may be asked for personal details in an HTML form. Suppose he enters his name as “Prashant”. The server then responds with “Hello Prashant” Note that the server has echoed back his name Now, what would happen if, instead of Prashant, the user enters alert(‘Fire!’)

Overcoming XSS Validate and filter all user input. (Should this be done at the client or server?) One strategy is to make a blacklist of all user input that should be filtered out. For example, single/double quotes, angular brackets, etc. should not appear in an address input from the user. A better solution in most cases is the equivalent of a whitelist approach - specify precisely what user input is expected. This is often accomplished by the use of a regular expression.

SQL Injection (Background) Form parameters may be passed as a query string in an extended URL to the server as in The server application retrieves the form parameters and uses them to build an SQL query such as select s_ID, gpa from students09 where s_ID = and passwd = ‘4ep*NdF’

Constructing an SQL query directly from user input (Example 1) select s_ID, gpa from students09 where s_ID = 123 and passwd = ‘abc’ or ‘x’ = ‘x’

Constructing an SQL query directly from user input (Example 2) select s_ID, gpa from students09 where s_ID = 123 or 1=1 - - and passwd = ‘ abc ’

Constructing an SQL query directly from user input (Example 3) select s_ID, gpa from students09 where s_ID = 123; DROP TABLE students09; - - and passwd = ‘ abc ’

“ There are two things I am sure after all these years: there is a growing societal need for high assurance software, and market forces are never going to provide it” - Earl Boebert

Electronic Payment

E-Payment Obviates the need to transport, handle, store and dispense physical cash Results in enormous savings to banks and merchants. Offers unprecedented convenience to the customer who does not need to carry currency notes and coins.

E-Payment – Distinguishing Features Real-time, pre-paid, post-paid Remote versus proximity E-payment enabling device (cellphone, PC, smart card) Communication medium (bluetooth, NFC, internet, etc.) On-line versus off-line

CardHolder Present E-Transactions Considerable credit card fraud has motivated the use of “Chip N Pin” cards Basically a smart card (with an on-card processor) Cardholder authenticated using a PIN PIN is also securely stored on the card and is securely communicated to the terminal Based on the EMV protocol

Mobile Payment Facilities Account-related enquiries (for example, account balance) Cheque Book Request SMS alerts Utility Bill Payment Purchase of movie tickets, etc. Funds Transfer

Botnets

A botnet is an army of compromised computers or bots connected to the internet and remotely controlled by a “botmaster”. The earliest botnets were a collection of zombies that participated in Distributed Denial of Service (DDoS) attacks. Today’s botnets may comprise tens of thousands or even millions of bots.

Botnets (contd.) The emergence of botnets is closely linked to the motive of financial gain Often used to send spam mail on behalf of third parties. Bot programs may contain keyloggers and other forms of spyware that capture sensitive personal information such as passwords and credit card numbers and send these to the botmaster. Botnets have also been used as an extortion tool – “Pay up or your web site will be bombarded by a DDoS attack”.

Botnets (contd.) One important difference between a bot and a computer infected by a traditional worm/virus or Trojan is that a bot needs to communicate with specific nodes in the botnet to receive fresh commands. Early botnets used an IRC server as a Command & Control Server. A channel on such a server was used to convey the botmaster’s commands.

Recent Bots A more recent trend has been distributed and decentralized botnet architectures which leverage existing highly scalable and robust P2P networks. The connectivity of P2P networks ensures that even if a large number of bots are disabled, the rest of the bots continue to stay connected. Moreover, there are no fixed C&C servers making it hard to detect and incapacitate a P2P-based botnet.

The Storm Botnet First detected in January Its other names are Peacomm, Nuwar and Zhelatin. Storm bots are infected in stages. The most common vectors for propagating the primary infection appear to be or infected web sites. was sent with sensational subject lines like “230 die as Storm batters Europe”. Likewise, users were lured into downloading free but infected files from web sites containing music of various pop artists.

A Generic Botnet

Advice to a wannabe Security Analyst “Security engineering, especially in this third wave, requires you to think differently. You need to figure out not how something works, but how something can be made not to work. You need to imagine an intelligent and malicious adversary inside your system (remember Satan’s computer) constantly trying new ways to subvert it...

Advice to a wannabe Security Analyst (contd.)... You have to consider all ways your system can fail, most of them having nothing to do with the design itself. You have to look at everything backwards, upside down, and sideways. You have to think like an alien.” - Bruce Schneier