Security and Privacy on the Internet

1
Security and Privacy on the Internet

• A course on Internet Security
• Security is a process. It is a journey.
• --Bruce Schneier

2
Security and Privacy on the Internet

• PREFERRED BACKGROUND
• Internet Architecture, TCP/IP suite, POPs, NAPs,
  RAs, Peering, GigaPOPs
• Evolving Requirements and architecture of
  Internet
• Wireless and mobile protocols
• Network Application Programming
• Performance Measurement, tcpdump
• The course An introduction to the issues of
  security in public distributed networks

3
Security and Privacy on the Internet

• Security Planning, Policies and procedures
  Threats and Strategies digital rights
• security services and mechanisms
• Encryption methods and Secure Protocols, DES,
  AES Public Key algorithms VPN
• Internet sniffing and scanning tools
• Intrusion Detection, Intrusion Analysis and tools
  
• General topics Viruses and enterprise anti-virus
  tools other applications like digital cash, code
  signing and anonymous e-mail

4
Grading Scheme

• 60-564
  60-475
• Project I 15
  15
• Survey of Area 20 15
  
• Class Test 20
  20
• Final Exam 30
  35
• Assignments 15 15
• For 60-475, instead of the Survey, it would be
  Project II.

5

• Why should we study Internet Security?
• Practical (
  Mundane) Reasons

6
Examples those, who hold the keys to
the Kingdom

• Jim Allchin, Microsoft's Windows chief said in
  Oct 2005, I'd already been through lots of days
  of personal training on the tools that are used
  to do hacking.
• Researcher Dan Kaminsky found him to be quite
  knowledgeable about Hashing.
• Researcher Matt Conover, while talking about a
  fairly obscure type of problem called a "heap
  overflow, asked the audience, made up mostly of
  vice presidents, whether they knew about this
  type of issue, 18 of 20 hands went up. (Blue Hat
  Conference at Redmond in Oct 2005)

7
Two news-items

• The industry showed a significant level of
  dissatisfaction in the ability of companies to
  hire information security workers. --- from the
  Information Technology Association of Americas
  member survey of Sept 2003
• Homeland security allocating money in 2003 for
  research in Security at US University so that
  more grads can become available for jobs in
  security.

8

• Demand for IT security professionals is
  approaching levels not seen since shortly after
  the 9/11 terrorist attacks five years ago.
• Emergency Warning to Employers Unless you begin
  immediately to increase hiring and intensify
  staff development in your security services and
  products, you will probably not have sufficient
  bench strength for a late 2007 crescendo in
  demand..
• --Foote Partners LLC
• http//www.footepartners.com/FooteNewsrelease_ITse
  curityskills_070207.pdf
• as of Sept 6, 2007

9
Estimates of Market for Security Products

• IDC Estimates Internet security market expected
  to grow exponentially
• Yankee Estimate of market
• Host Intrusion Prevention products and services
  60 million in 2002.
• Prediction growth at a compound annual rate of
  52.7 percent to 520 million by 2007
• secure content delivery products and services
  302 million in 2002.
• Prediction for 2007 580 million.
• Ironport The Web messaging security market to
  grow at about 25 annually. Reference
  http//www.ironport.com/company/pp_trading_markets
  _01-04-2007.html as of Sept 06, 2007

10
Jobs in Security

• "From what we've seen on our site, and from what
  I've seen from the industry, security is not
  surprisingly very much in demand -- Nick
  Doty, Editorial Director of Techies.com
• Average Salary Security Analyst (Reference
  http//www.esj.com/Columns/article.asp?EditorialsI
  D28 )
• Entry (less than 1 year of experience) US
  54,090

11
.there will be more security breaches,
says Schneier

• As more of our infrastructure moves online,
• as more things, that someone might want to access
  or steal, move online .
• As our networking systems become more complex
  ..
• As our computers get more powerful and more
  useful..

12

• Why should we study Internet Security?

13
Corporation is the network.

• A company can compete in the global marketplace
  only if it has a strong underpinning of reliable
  and secure computing and communication
  infrastructure.
• ? A network.
• Which Network ?
• The latest telephone network Advanced
  Intelligent Network
• The Internet The Stupid Network
• Ref Rise of the Stupid Network, David
  Isenberg, 1997, www.isen.com

14
Two laws and the User

• Moores Power of PCs (measured in MIPS)
  increases an order of magnitude every 5 years.
• Amdahls A Mb of I/O capability is required for
  every MIPS of processor performance.
• But during 1980s and 90s
• User Accessible Bandwidth at WAN level increased
  by an order of magnitude every 20 years.

15
Network-computing

• Network-computing Requirements for I/O and
  communication speed grow at the same rate.
• Assume that
• Communication speed requirement 1/8(I/O
  capability)
• Example processor power 1000 MIPS
• I/O requirement 1000
  Mbps
• Communication requirement 125 Mbps
• Study of network architecture for providing
  secure and reliable high performance, with the
  required QoS an important area of research.

16
Problem of Security

• Higher the available compute-power, easier it
  is to hack a system.
• The network bandwidth of WANs increases at a rate
  much lower than the rate of increase of the
  available compute-power.
• The amount of data being sent cannot be
  increased through padding.

17

• Let us begin.

18
Introduction Security

• RFC 1244, Site Security Handbook, by Holbrook,
  Reynold, et al.
• Common sense the most appropriate tool that
  can be used to establish your security policy.
• Elaborate security schemes and mechanisms
  useful only if the simple controls are NOT
  forgotten.
• Knowledge ? Confidence ? flowering or
  non-blocking of Common-sense

19
Security planning

• We want to find a program that "fixes" the
  network security problem. Few of us want to write
  a paper on network security policies and
  procedures.
• Physical Security for network equipment and
  cables
• against natural disasters like fire and
• against mis-behavior by internal authorized users
• is, in fact more important than the threats
  through
• networks.

20
Security planning (contd)

• Components of security planning
•  Step 1 assessing the threat,
•  Step 2 writing a security policy a statement
  of what is allowed and what is not allowed
  assigning security responsibilities.
• Step 3 Choosing the mechanism, tools and
  methodologies to implement the policy
• Let us begin with step 2.

21
Security Policy

• Two Important Components
• 1.Decentralized Control and
• 2.Clear Definition of Roles and Responsibilities
• Distributed Control through Subnets The subnet
  administrator and the system administrator
  responsible for their system security.
• The subnet administrator allocates IP
  addresses and knows his users.

22
Security Policy Clear definitions

• A network security policy should define
• The network user's security responsibilities
• The policy may require users
• to change their passwords at certain intervals,
• to use passwords that meet certain guidelines,
• to perform certain checks to see if their
  accounts have been accessed by someone else.
• Whatever is expected from users, it is
  important that it be clearly defined.

23
Security Policy (contd)

• The system administrator's security
  responsibilities
• The policy may require that
• every host use
• specific security measures,
• login banner messages, and
• monitoring and accounting procedures.
• certain applications should not be run on any
  host attached to the network.

24
Security Policy (contd)

• The proper use of network resources
• Define
• who can use network resources,
• what things they can do, and
• what things they should not do.
• If users email, files, and histories of computer
  activity are subject to security monitoring, the
  users must be very clearly informed about the
  policy.

25
Security Policy (contd)

• The actions taken when a security problem is
  detected
• What should be done when a security problem is
  detected?
• Prepare a detailed list of the exact steps that a
  system administrator, or user, should take when a
  security breach has been detected.
• Example A user may be required to "touch
  nothing, and call the network security officer."
• Who should be notified?
• Prepare a disaster recovery plan so that when the
  worst does happen, you can recover from it with
  the minimum possible disruption.

26
Reference

• RFC 1281 A Guideline for the Secure Operation of
  the Internet
• provides guidance for users and network
  administrators on how to use the Internet in a
  secure and responsible manner.
• useful for preparing the security policy for an
  organization.

27
A detourA little history of an ancient art
The first printed book on cryptology

• Johannes Trithemius, an abbot in Spanheim One
  of the founders of cryptology
• The first printed book of cryptology titled
  Polygraphiae Libri Sex in German language in
  1518 by Johannes Trithemius, published after the
  death of the writer.
• (The title means -Six Books of Polygraphy)

28
A little history (continued)

• Earlier in 1499 he had written a 3-book
• Steganographia, (meaning covered writing)
• which was circulated privately
• was published in 1606.
• The first two books about cryptology.
• But the third book could not be understood,
  without understanding the encoding that he had
  used.

29
A little history (continued) A
challenge for a cryptanalyst

• In the third book, which was considered to be
  incomplete, Trithemius explained why he had made
  it hard to understand
• This I did that to men of learning and men
  deeply engaged in magic, it might, by the Grace
  of God, be in some degree intelligible, while on
  the other hand, to the thick skinned
  turnip-eaters it might for all time remain a
  hidden secret, and be to their dull intellects a
  sealed book forever.

30
Ban, what you dont understand.

• The third book banned in 1609, ostensibly
  because it explained how to employ spirits for
  sending secret messages.
• The challenge - of deciphering the book met by
  three persons in 500 years
• 1676Wolfgang Heidel, the archbishop of Mainz,
  Germany, claimed to have deciphered the third
  book of Trithemius.
• But his discovery was stated in a secret code
  of his own. So nobody knew whether Heidel had
  understood the book.

31
A little history Deciphering the third book
of Trithemius

• 1996Thomas Ernst, Prof of German at La Roche
  College, Pittsburgh published a 200-page
  German-language report in a small Dutch journal,
  Daphnis.
• WIDELY KNOWN SOLUTION spring 1998 Jim Reeds of
  AT T labs solved the riddle of understanding
  the third book independently.
• He did not know of the earlier work of Ernst.
• Trithemius work basically simple Ernst took two
  weeks and Reeds took two days to understand it.
• Both Ernst and Reeds, separately, deciphered
  Heidels work and found that Heidel had been able
  to decipher Trithemius third book.

32
References The Trithemius riddle

• Reference1. Thomas (Penn) Leary, Cryptology in
  the 16th and 17th Centuries, Cryptologia, July
  1996, available at http//home.att.net/tleary/cry
  ptolo.htm
• 2. http//www.post-gazette.com/healthscience/19980
  629bspirit1.asp
• 3. Gina Kolata, A Mystery Unraveled, Twice, The
  New York Times, April 14, 1998, pp. F1, F6,
  available at http//cryptome.unicast.org/cryptome0
  22401/tri-crack.htm

33
A challenge for the future

• At 35th birthday of MITs Lab for Computer
  Science A time capsule of innovations has been
  sealed in the new building of LCS. It contains a
  cryptological problem, which may be solved in 35
  years on computers,(by 2033), which may be
  replaced every year to get higher computing
  power.
• If you find an algorithm, which solves it
  earlier, you can send it to the Director, LCS.
• If correct, a special ceremony to unseal the
  capsule will be set up.
• Referencehttp//theory.lcs.mit.edu/rivest/lcs35-
  puzzle-description.txt
• getting back from the
  detour .

34
Step 3 Components of security planning

• Step 1 assessing the threat  
• Step 2 writing a security policy (already
  discussed)
• Step 3 Choosing
• the methodologies,
• tools and
• mechanisms
• to implement the policy

35
Methodologies

• Security Procedures to implement the policy
• Goals of security Procedures
• Prevention
• Detection nature, severity of attack and effects
• Recovery and fixing vulnerabilities
• Counterattack or legal recourse

36
Procedures

• Usually a procedure implements one part of the
  policy.
• A union of procedures is supposed to provide
  precise security.
• Types of procedures
• Secure
• Precise or
• Broad

37
Types of Procedures

• P set of all possible states of the system
• S set of secure states, as defined by the policy
• Mset of states to which the system is
  constrained by Security procedures
• The system is
• Secure if M is contained within S
• Precise if M S
• Broad if there are states in P which are
  contained in M but which are not contained in S.

38
Procedural and Operational Security

• policies and education on safe computing
  practices
• desktop configuration management
• proactive probing for vulnerabilities
• Each procedure may be designed to take care of a
  (or a set of) threats.

39

• New Threats arise and old threats change
• As the use of Internet changes and
• as new technologies are implemented
• Some Threats
• to a networked system

40
Security Threats

• RFC 1244 identifies three distinct types of
  security threats associated with network
  connectivity
• Unauthorized access
• A break-in by an unauthorized person.
• Break-ins may be an embarrassment that
  undermine the confidence that others have in the
  organization.
• Moreover unauthorized access ? one of the
  other threats-- disclosure of information or
• --denial of service.

41
Classification of Security Threats
Reference RFC 1244

• Disclosure of information
• disclosure of valuable or sensitive information
  to people, who should not have access to the
  information.
• Denial of service
• Any problem that makes it difficult or impossible
  for the system to continue to perform productive
  work.
• Do not connect to Internet
• a system with highly classified information,
  or,
• if the risk of liability in case of disclosure
  is great.

42
Brent Chapmans Three Categories of
Security Threats

• Brent Chapmans Classification
• Confidentiality
• Of data
• Of existence of data
• Of resources, their operating systems, their
  configuration
• Of resources used, in case the resources are
  taken on rent from a service provider

43
Information Security Threats
Chapmans Classification (contd.)

• availability A DoS attack may disrupt
• availability of a service, or
• availability of data
• integrity
• Of data
• Of origin
• Once someone has gained unauthorized access
• to a system, the integrity of the information on
• that system is in doubt.

44
In the face of threats A
secure system

• Features of a secure system
• A system which is able to maintain
  confidentiality of data
• A system which is able to maintain integrity of
  data
• A system, which is available, whenever the user
  require it

45
Threats for the Internet/ISP

• propagate false routing entries (black holes)
• domain name hijacking
• link flooding
• packet intercept
• Phishing attacks use e-mails that often appear
  to come from a legitimate e-mail address and
  include links to spoofed Web addresses. The
  receiver responds to the link, which takes the
  receiver to a site, other than what the receiver
  thinks he is going to. (announced by MS on 16 Dec
  2003, as a problem with Internet Explorer).

46
Types of Security Threats Additions

• Denial of service
• Illegitimate use
• (Mis)-Authentication
• IP spoofing
• Sniffing the password
• Playback Attack
• Bucket-brigade attack ( when Eve substitutes her
  own public key for the public key of Bob in a
  message being sent by Bob to Alice)
• Generic threats Backdoors, Trojan horses,
  viruses etc

47
Example of a Security Incident
Phishing

• Phishing (mis)uses the following rule
• If ASCII 00 and 01 characters are used just prior
  to _at_ character, IE would not display the rest of
  the URL.
• Example http//www.whitehouse.gov0100_at_www.hacke
  r.com/......
• will show up as http//www.whitehouse.gov in the
  status bar, indicating as if the message is from
  the White House. However the response will go to
  the Hacker.

48
Anti-Phishing.org

• A Web site www.antiphishing.org, for reporting
  incidents,
• set up by a group of global banks and
  technology companies, led by Secure-messaging
  firm Tumbleweed Communications Corp
• Fast Response required
• The phishing Web sites often only in place
  for a day.
• Example Dec 2003 Phishing e-mail appeared to
  come from the U.K. bank NatWest.
• Anti-Phishing.org tracked the IP address to a
  spoofed home computer in San Francisco. "The
  owner of the computer probably had no idea he'd
  been hijacked," says Dave Jevans, Tumbleweed's
  senior vice president of marketing.

49
Common attacks on banks
through Internet

• Common attacks
• phishing (attempts to trick account holders to
  give their account authentication details away),
• fraudulent association with the bank as part of
  investment scams, and
• trademark violation
• Losses due to attacks
• "The major banks don't want to divulge the amount
  of losses. But just to give one example, a major
  Australian bank has put several million dollars
  in reserve since August 2003 to cover damages due
  to Internet frauds. Dave Jevans, eWeek, Dec
  2003

50
An Example time-to-market for Internet Security
products

• 16 December, 2003 Discovery of the problem of
  Phishing
• 5 January 2004 Announcement of development of a
  new Anti-phishing service by Netcraft, of Bath,
  England.
• Netcraft says that the service is mainly for
  banks and other financial organizations

51
The Netcraft Service

• to detect use of their
• name,
• brands,
• trademarks and
• slogans on the Internet by any unauthorized
  party.
• to facilitate quick removal of attempts at
  "phishing" attacks.
• to provide details of the site registration and
  hosting locations of potentially offending sites,
  
• to classify the severity of the incident

52
The Netcraft Service (continued)

• The service will
• include real-time monitoring of spam for domains,
  brands and company names.
• monitor
• DNS registrations and
• SSL (Secure Sockets Layer) certificate common
  names.
• Netcraft known for conducting monthly surveys
  from almost 20 million sites.
• Its database has hostname domain names for
  over 46 million web sites, and the front page
  content for about 20 million sites

53
Terminology of Hacking
A few more words

• Snooping (also called passive wire-tapping)
• Active wire-tapping or man-in-the middle attack
• Spoofing or Masquerading of a host or a
  service-provider (Distinguish it from Delegation)
• Repudiation of origin or of creation of some file
• Denial of receipt
• Usurpation unauthorized control