Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Security and Authentication CS 5352 Spring 06.

Published byShannon Day Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer Security and Authentication CS 5352 Spring 06."— Presentation transcript:

1 Computer Security and Authentication CS 5352 Spring 06

2 Software Engineering Institute Federally funded, sponsored by DoD Operated by Carnegie Mellon University About 400 employees Wants a smooth transfer of new Software Engineering Technology into practice Technical theme: –Move left –Reuse everything –Never make the same mistake twice

3 CERT Coordination Center Overview –Part of the SEI –Formed by DARPA, 1988, after the worm incident –About 100 employees –3,784 vulnerability reports (2003) –137,529 computer security incidents (2003) Purpose –Analyse trends in attacks, vulnerabilities, impact –Coordinate responses to security attacks –Methods to evaluate, improve, maintain security –Publish, disseminate good security practices

4 Survivability The ability of a system to fulfill its mission, in a timely manner, in the presence of attacks, accidents, and failures

5 Critical Need for Information Assurance Incidents Reported to the CERT/CC

6 Critical Need for Information Assurance Vulnerabilities Reported to the CERT/CC

7 Advanced Intruders Discover Vulnerability Crude Exploit Tools Distributed Novice Intruders Use Crude Exploit Tools Automated Scanning/Exploit Tools Developed Widespread Use of Automated Scanning/Exploit Tools Intruders Begin Using New Types of Exploits Critical Need for Indications and Warnings

8

9 Critical Need for Better Engineering Methods Resistance, recognition, and response must be integrated into the system and application architecture

10 Network protocols Designed for Arpanet, over 20 years ago But still used nowadays, under a totally different environment

11 A Different Internet Armies may cease to march Stock may lose a hundred points Businesses may be bankrupted Individuals may lose their social identity Threats not from novice teenagers, but purposeful military, political, and criminal organizations

12 Why Should You Be Concerned Personal data Credit information Medical information Purchasing history Corporate information Political information Societal infrastructure

13 Computer Vulnerability (2001) Out-of-the-box Linux PC hooked to Internet, not announced: [30 seconds] First service probes/scans detected [1 hour] First compromise attempts detected [12 hours] PC fully compromised: – Administrative access obtained – Event logging selectively disabled – System software modified to suit intruder – Attack software installed – PC actively probing for new hosts to intrude Clear the disk and try again!

14 Motivations to Violate Security Ego Curiosity Greed Revenge Competition Political/Ideological

15 People and Computer Crime Most damage not due to attacks “Oops!” “What was that?” No clear profile of computer criminal Law and ethics may be unclear

16 Types of Attackers Script Kiddies Old-line hackers Disgruntled Employees Organized Crime Corporate Espionage Foreign Espionage Terrorists

17 Buffer overflow The most important avenue for vulnerabilities Good programming practice: always verify that the input you receive from uncontrolled source conforms to expected format

18 Buffer overflow example rlogin program main(argc,argv) int argc; char *argv[]; { … char term[1024];... (void)strcpy(term, (p = getenv(“TERM”)) ? p: “network”); … }

19 Authentication Four classic ways to authenticate: 1. something you know (passwords) 2. something you have (smartcard) 3. something you are (fingerprint) 4. something you do (usage signature) None of these is perfect

20 Identity theft Fastest rising crime in the US FBI won’t help unless losses above $100,000. Someone can steal an identity with just a social security number!!!

21 Passwords Account - person using the system Username - Identity of account (public) – limited characters, alphanumeric & special characters – typically related to real name of user (not always), certain names reserved – unique on system – fixed at account creation Passwords – Verification of identity (private) – Less limited length and characters – Fixed until changed – Non-unique passwords – (both users have bad password) Many Multi-user Operating Systems have same scheme

22 Password Security Password security depends on ONLY you knowing the password –Secure selection –Secure handling –Secure storage

23 Password Storage “trapdoor encrypted” – scrambled in a way that cannot be unscrambled – scrambling folds password over itself - lost bits – different users with same password won’t have same scrambled password – login scrambles entered password and compares against stored scrambled password – original concept: since only scrambled passwords are available, storage is secure (FALSE!) longpre:br1eXN8N3pyAB

24 Password Attacks Easy to Hard – Given password – Grab password – Generate password – Guess password

25 Given Password Look It Up – Default passwords – Posted passwords Ask for It (Social Engineering) – As colleague – As friend – As administrator / authority – As clueless & needy Countermeasures – Education – Other authentication

26 Grab Password (locally) Physical proximity – Shoulder surfing – Countermeasures Education Exercises One-time passwords Program access – Trojan Horse – Perverted program – Countermeasures Integrity checks Other authentication

27 Other Network Attacks Tapping –Method depends on network medium –Countermeasures: Encryption Physical protection & inspection Van Eck Radiation –Current through wire: Radio waves –Receiver tunes in on hosts/network –Countermeasures: Encryption Distance Emission Control

28 Generate Password Use a dictionary Requires: Scrambled password, Encryption method & Large dictionary Password Cracking –Natural language words and slang –Backwards / Forwards / Punctuation and Numbers inserted –Program: 27,000 passwords in approx 3 seconds (Pentium II/133) Countermeasures –Preventive strike (BEWARE) –Password rules –Other authentication

29 Guess Password Use knowledge of user –System information –Personal information –Occupation information Often combined with dictionary attack Countermeasures –Password rules –Other authentication

30 Password Changing When? –Forced or voluntary –Regularly or event driven Considerations –Increase security? Fix a stolen password problem However, stolen passwords are often used quickly False sense of security –Too frequent password changes encourage weak passwords written down passwords

31 Passwords on Many Machines One or Many? –Ease of memorization vs. likelihood of writing –Options: Secure stored passwords Network authentication method Algorithm for varying passwords Seldom used passwords in encrypted file

32 Something You Have Convert logical security to physical security –One-time pad –Strip card / smart card –Dongle –Challenge-Response calculator Problems: Cost & token issuing/handling Advantages: Physical presence; hard to hack

33 Smart cards for identification Hard to duplicate If weak protocol and a lot at stake, fakes WILL appear Use of zero-knowledge algorithms –Guarantee valid user but preserves privacy Attacks on smart cards –Power supply –Chemical stripping –Emissions

34 Something You Are Biometrics: Measure physical characteristic –Face geometry –Hand geometry –Fingerprint –Voiceprint –Retinal Scan –Signature Advantages: Physical presence, not easily lost Disadvantages: Cost, Security, Variation, Handicaps, Success ratio

Download ppt "Computer Security and Authentication CS 5352 Spring 06."

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e.
Biometric Authentication Andrea Blanco Binglin Li Brian Connelly.

Biometric Authentication Andrea Blanco Binglin Li Brian Connelly.
Chapter 9: Privacy, Crime, and Security

Chapter 9: Privacy, Crime, and Security
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.

1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
(c) 2006 Carnegie Mellon University95752:1-1 95-752 Introduction to Information Security Management Tim Shimeall, Ph.D. 412-268-7611 Office.

(c) 2006 Carnegie Mellon University95752: Introduction to Information Security Management Tim Shimeall, Ph.D Office.
95752:3-1 Access Control. 95752:3-2 Access Control Two methods of information control: –control access –control use or comprehension Access Control Methods.

95752:3-1 Access Control :3-2 Access Control Two methods of information control: –control access –control use or comprehension Access Control Methods.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) =.00625 * 5,349.44 = $33.434 What happens to the.004?.004+.004+.004=.012.004.

Security. If I get 7.5% interest on $5,349.44, how much do I get in a month? (.075/12) = * 5, = $ What happens to the.004? =

Similar presentations

Ads by Google