DePaul University

1
DePaul University

• DePaul Information Security

2
Today

• Microsoft Baseline Security Analyzer (MBSA)
• Using Internet Explorer securely
• Email Privacy and File Integrity
• Using email encryption
• Spam

3
Outline

• What is MBSA?
• How to get it?
• Installation
• Features
• Demonstration

4
Securing Windows Systems

• Operating System Updates
• Use a Host Based Firewall
• Account and Password Security
• File Sharing
• Microsoft Applications

5
What is MBSA?

• Created for Microsoft Systems specifically
• Tool to make Windows based systems and server
  applications more secure.
• MBSA points out known flaws which are not fixed
  on the tested system
• Shows ways to patch security holes
• Explains correct security guidelines
• Current version MBSA 2.0
• Presents a security snapshot

6
How to get it?

• Microsoft Web Site
• http//www.microsoft.com/technet/security/tools/mb
  sa2/default.mspx
• Search on Google
• Microsoft Baseline Security Analyzer

7
Installation

• Wizard for easy installation

8
Features

• Graphical User Interface (GUI) options
• Scan local computer
• Scan for common administrative vulnerabilities
• Scan for missing security updates against the
  Microsoft Update catalog
• Creates reports in MBSA

9
Supports

• Checks for common administrative vulnerabilities
  for
• Windows 2000, XP, 2003
• Windows Server 2003
• IIS 5.0, 6.0
• SQL Server 7.0, 2000
• IE 5.01
• Office 2000, XP, 2003

10
Scans for common vulnerabilities

• Is Windows Firewall enabled?
• Are Automatic Updates enabled?
• Are strong passwords enforced?
• Are unsecured Guest accounts enabled?

11
MBSA Demonstration
12
Pretty Good Privacy - PGP

• What is pgp and why use it
• Cryptography
• Key Pairs
• Using PGP software
• Exporting, Importing and Backing up Keys
• Public Key Servers
• Encrypt/Decrypt Mail
• Encrypt/Decrypt Files
• Symmetric (secret or conventional) encryption
• Demonstration

13
Encryption Software

• What is PGP
• Originally Authored by Philip Zimmermann in 1991
• Strong encryption software
• De-facto standard for email encryption today
• Originally free software now owned by Network
  Associates www.pgp.com
• In 1997, OpenPGP working group formed to develop
  an open non-proprietary standard for PGP
• GnuPG is completely free and compliant with
  OpenPGP
• Email should not be considered private
• PGP Allows for privacy and integrity

14
Cryptography

• Communicating in or deciphering secret writings
  or ciphers
• Cipher Text
• Unreadable information jumbled data
• Encryption
• Process of scrambling information converting
  ordinary plaintext information to cipher test
• Decryption
• Recovering the plaintext back from the cipher
  text
• Public Key cryptography (asymmetric)
• Encryption and Decryption are performed using
  different keys
• Secret Key cryptography (symmetric)
• Same key is used for encryption and decryption

15
How does it work?

• Two Keys needed Public and Private
• To send someone mail or verify their signature,
  you need to know their public key
• Using a public key, you encode or encrypt a
  chunk of data (file or email message)
• Using a private key, you decode or decrypt the
  data to read the file or email

16
How does it work?
17
Generating PGP keys

• The software will generate a public/private key
  pair
• You specify the size of the key (1024, 2048 bits)
• Need to provide a password to protect your key

18
Public Key 2048 bits

• -----BEGIN PGP PUBLIC KEY BLOCK-----
• Version PGPfreeware 6.5.8 for non-commercial use
  lthttp//www.pgp.comgt
• mQGiBERx5hsRBADsidrkWqSRLKM3VS2wZf74X5JwSrOJzJmBNW
  ATdU/CNxC5Ip9m
• d9NsNGEKeaX81FGs4JDUhqbuXSG8F939B0nN4M4jmiySlgHm/9
  NbQoMAHx4W0a71
• wN05f2UFxWrIsMSBOEWTAsEh3WJ5IcWklohLCnHQjatdeZdoUg
  L5/4uLzwCg/xLU
• soKchra6xS5mZju5wkZa4EEAIqKyXJPfOmQ3dfaTEJiJASs3
  MCrDWOcfU4LsE9
• jeJKu8bc2Y9NyaJm/GFGRofa8pPf9C0rmTP1pX9enhq0OYUvsp
  ulmQjFDvVyiYrG
• Ixy6au6mFZL4R4/Q306lpqpqTmwi6DEQx0fkwrUrhlj5v04Tof
  d2U1VYLPvYGXjy
• RYecA/9xWPmGXDca4EAngMyZ1y0GzJnR59bvgtc2eNX0fqesQ
  TrUcoF2gBCdxP
• CZNtEXyZiEZQ7o8tGEQ5GrvKZM/W4wAlY0P72GuGhuz1q4e5
  NrI7wOGjMd9EXU
• RTwSlq3qdmv5N/uGmePQ0wj8Eri0cqZjEP3MHhPoKht60BuB2L
  QWdGVzdCA8dGVz
• dEBkZXBhdWwuZWR1PokATgQQEQIADgUCRHHmGwQLAwIBAhkBAA
  oJEMYhoiF0arf
• hmAAoL8H0JVdJ9X5CiTMikOyYK9AcbgMAJ4zZhwt22z3Z9Cdmm
  M4KmIOnKc63bkC
• DQREceYbEAgA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOC
  DaAadWoxTpj0BV
• 89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N28
  6Z4VeSWc39uK50
• T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/Rg
  BYKX0iP1YTknb
• zSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1
  WMuF040zT9fBdX
• Q6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDN
  mWn6vQClCbAkbT

19
Encrypted Text

• Plain text
• Hello world
• Encrypt with public key
• Cipher text
• -----BEGIN PGP MESSAGE-----
• Version PGPfreeware 6.5.8 for non-commercial use
  lthttp//www.pgp.comgt
• qANQR1DBwU4DSTJMC1F2PksQB/0bmezbfmj/1NUYt5qM8TbOOl
  7uZH8wYNrsVFnF
• ALvwwdYFTMhT/DBoSWwnizkY31k0bTei57EjlNjg4z9mqgabm
  4OCj1s0O3GVQDP
• tIafYzDmdOrojgZ2jrszExFARL47ygXZA5qnDxoI3W5RiSbn5i
  Qpp66wucJETAey
• cGQ6dTsnySTtmV9uB/tMyAPPnPQFPHd1bpBP000RySteLHj
  EKjMV752k
• ScLD
• -----END PGP MESSAGE-----
• Decrypt with private key
• Plain text
• Hello World

20
Getting encryption applications

• PGP
• Commercial applications
• http//www.pgp.com/
• GnuPG
• Complete and Free implementation
• http//www.gnupg.org/
• For Windows use gpg4win www.gpg4win.org

21
Using GnuPG software

• Exporting, Importing and Backing up keys
• text or ASCII file
• BACKUP, I said BACKUP your keys
• Public Key Servers
• http//www.keyserver.net/en
• http//pgp.mit.edu/
• Encrypting Email and Files
• Using Symmetric Encryption
• Demonstration

22
The End

• Questions