Security 101

1
Security 101

• PEC Conference
• University of Richmond
• October 18, 2005
• Chris Faigle

2
What are the issues?

• Privacy
• Is it almost gone???
• E-mails for sale, online lookup of phone numbers,
  addresses, maps, tax sales
• Cell-phone 911 locators
• Public and Traffic Cameras
• Identity
• Are we losing the ability to be uniquely
  identified
• Used to simply be Social Security Number
• We do not use SSNs for identification on campus,
  except where mandated (i.e. Human Resources,
  Student Financial Aid)
• Identity theft

3
More issues?

• Viruses Trojans
• We are under automated attack
• Worms, viruses and trojans
• It goes on Spam Phishing
• My inbox is attacking me
• My browser is attacking me

4
What happened?

• The Internet began to connect all computers
  together
• Businesses became to rely on computers
• Huge increase in personal data collecting
• Internet-based services became available e-mail
  - shopping banking auction gambling chat
  etc.
• Home computer use in developed countries became
  the norm
• Computers began to auto-execute many things
• E-mails
• Web controls
• ZIP files

5
What else happened?

• Lack of user training
• Software vendors did not make proper future
  assumptions about their software
• Insecure default installation settings
• There were no built-in systems for authentication
• As communication increased, the knowledge of how
  to break software and systems has become
  publicized
• Bottom line
• It became technically possible and even at times
  profitable to produce automated and anonymous
  large scale attacks or small scale penetrations

6
Identity

• Identity is what we authenticate
• i.e. The entity or person is who they claim to be
• How do we authenticate this identity
• Person to person
• Birth certificates
• Photo-ID (drivers license / passport)
• Knowledge of some information (SSN, Address
  Mothers maiden name)
• Person to machine
• User ID / Passwords (something you know)
• Tokens (something you have)
• Biometrics (something you are)
• Once we authenticate a person or entity, we
  then authorize what access or rights they have

7
Passwords

• Passwords are the easiest form of machine
  authentication to implement
• What makes a good password?
• Not a standard word
• Hard to guess
• Has a reasonable length (at least 8 characters)
• Uses numbers and symbols
• And both upper and lower case
• Automatic password cracking programs
• John
• l0pthcrack

8
Smart Cards and Tokens

• Smart Cards
• Contain an entire computer on a chip on the card
• Contain secret encryption keys (see later) that
  prove your identity
• Require a reader in order to attach to a
  computer
• SmartVisa
• American Express Blue card
• Tokens
• Are either really a smart-card
• These normally interface via USB and have a smart
  card reader built in
• Or are a display with a number or passphrase that
  changes every minute
• These are normally typed in to a system as an
  additional password
• Normally these are issued to a person and then
  the secret keys are associated with their identity

9
Biometrics

• Fingerprints
• IBM Laptop option
• Retinal Scans
• Hand / Palm Scans
• Busch Gardens
• New recreation center
• Normally these are hashed to provide a single
  number or sequence for matching
• Issues
• What happens if this data is compromised?
• Can I be required to give you this data?
• False Accept Rate
• False Reject Rate

10
Encryption

• Encryption - Converts clear text to encrypted
  text
• Decryption - Converts encrypted text back to
  clear text
• Normally we encrypt some data for someone or
  thing (perhaps us) to decrypt later but to keep
  secure in the meantime
• While stored
• During communication
• Depending on the algorithm the encrypted data may
  or may not be the same size
• Modern encryption uses the concept of a function
  plus a key
• The key is simply a long number
• The function is an algorithm that takes in data
  and uses the key to encrypt/decrypt it

11
Encryption II

• Encryption Function F Uses key
• Decryption Function F Uses key
• Sometimes the encryption functions are the same
• other times not but they will be related
• Sometimes the keys will be the same
• other times not but they will be related
• Encryption
• F( key, clear_text ) encrypted_text
• F( key, encrypted_text ) clear_text
• Length of the key
• Normally described in bits
• Changes the amount of work to brute-force an
  algorithm
• Keys of length 1024 take 2512 times as long as a
  key of length 512

12
Symmetric Key Encryption

• Also known as shared key encryption
• Here Key Key
• i.e. The encryption and decryption use the same
  key
• Simplest example
• Bitwise XOR (Exclusive Or)
• XOR logic table (Noted by )
• 0 0 0
• 0 1 1
• 1 0 1
• 1 1 0
• On-board example
• Real types
• DES
• 3DES (Really DES applied three times)
• AES

13
Public / Private Key Encryption

• Public Private
• In this case there are two keys
• Public Key_public - Given out to anyone
• Private Key_private - Kept very private
• These are related by an algorithm based on a
  mathematical formula
• Expensive (in machine cycle terms) to calculate
  these keys
• Expensive to use
• Types
• RSA
• DSA
• Elliptical Curve Cryptography

14
Public / Private Key Encryption II

• Encryption with Key_public
• Data can only be decrypted with Key_private
• Scenario
• Sender gets the Receivers public key
• Sender encrypts data using the Receivers public
  key
• Sender sends the encrypted data to the Receiver
• Receiver decrypts it
• Encryption with Key_private
• Anyone with Key_public can decrypt it
• Used for Digital Signatures see next slide
• Public keys can be made available on internal or
  external key servers so that they can be obtained
  automatically for encryption or digital signature
  verification

15
Digital Signatures

• Signing
• Using a private key to create a unique number
  (digital signature) for a message (or data or
  file)
• Can be verified using the associated public key
• Proves that the private key must have signed the
  message
• Infrastructure is required to be able to verify
  digital signatures
• Issues
• Requirements for revoking
• Private key compromise
• Standards

16
Digital Signatures - Scenario

• Signer hashes file/data
• Uses a standard algorithm to convert the file
  from its raw data to a single number of a fixed
  length
• The hash algorithm has some unique properties
• Signer encrypts hash result using their private
  key Key_private
• Verifier decrypts this using Signers public key
  Key_public
• Verifier hashes the original file/data and
  compares the two results
• If same
• Signer must have signed this exact file/data with
  the corresponding private key since they are the
  only one with this

17
How SSL Works

• Web Server has both a private key and a public
  key
• Your browser requests a secure web-page from the
  server
• The server sends its public key to your browser
• Your browser generates a random symmetric key
• Your browser encrypts this key using the servers
  public key and sends it to the server
• The server receives and decrypts this symmetric
  key
• The server and browser begin to communicate with
  the rest of the session encrypted using this key
  and symmetric (shared key!) cryptography

18
Network Security I

• Firewalls
• Filters our Internet traffic
• Removes people remotely trying to interact with
  our Microsoft Systems
• Packeteer
• Controls bandwidth to our Internet connection
• Squelches certain protocols down to low bandwidth
• P2P (Peer to Peer)
• Gives the students a minimum bandwidth
• But gives the Faculty/Staff and Lab machines
  priority bandwidth
• VPN
• Allows an outside user to have an encrypted
  tunnel into our network software is available
  for download for fac/staff
• IDS / IPS
• Coming soon This will prevent higher level web
  and other attacks and help our infrastructure be
  more resilient

19
Network Security II

• Do we monitor the Internet?
• No and not really
• No - we do not record the parameters and
  web-traffic contents of web surfing
• However - we do have a log of the addresses and
  which IP address hit them
• Do we block any Internet Protocols?
• We block some standard protocols that are
  standard to block
• We use the Packeteer to squelch certain protocols
• We also block IRC as it is a security risk for
  compromised machines
• Malicious processes on compromised machines
  join IRC channels and say Hi. Im
  141.166.xx.xx and Im compromised.
• Others on the channel can then reply with
  commands that control the machine often to
  download other software

20
Network Security III

• Do we simply turn over information to external
  agencies ie. RIAA, etc.
• No we follow a process
• Must have a valid subpoena
• Will be passed to the Universitys General
  Counsel
• We absolutely will comply with all laws and
  lawful orders and subpoenas
• In the future, we may be required to automate
  monitoring for law agencies ?

21
Wireless Security

• We now have campus-wide wireless coverage
• Richmond SSID
• This is broadcast for registration
• URWIN
• This is our real network
• Requires authentication
• We use EAP TLS with TKIP
• This is one step down from the absolute best
  current standard, but that would have required a
  hardware upgrade for each laptop
• However fear not This is very secure!

22
U of R Security Systems

• Firewalls
• Virtual LANs
• Computer Registration
• Anti-Virus
• Packeteer
• Systems Management Server
• Background patch checking
• E-mail handling spam anti-virus
• Authentication and authorization systems

23
U of R Security Systems Anti-Virus

• We use Symantec Corporate AntiVirus for PC
  Systems and also Macs
• All machines connected to the network are
  required to have this software
• We have a license that covers the faculty and
  staff home machines available from the software
  download page

24
U of R System Types

• Frozen (Deep Freeze)
• Classrooms
• Labs
• Library
• Some additional public use or other machines
• Managed (SMS)
• Faculty
• Staff
• Generic workstations used by single people
• Servers
• Other
• There are a small number of systems that for
  technical reasons cannot be treated like the
  others
• These are determine on a one-off basis

25
How can I protect myself at home?

• Keep your machine patched
• This is the single most important item
• Patch your operating system
• Patch your word processing and other packages
• Patch any tools
• Automate this patching process if possible
• Note that this can lead to your machine
  installing a software for you
• Run a firewall
• Microsoft
• Turn on the XP firewall
• Or Install the free version of Zone alarm
• http//zonealarm.com
• Macintosh
• Turn on the built-in firewall

26
How can I protect myself at home? II

• Do not open e-mail that you do not recognize
• You did not win the lottery
• You are not going to get money from Nigeria
• PayPal does not need you to update your account
• Buying Viagra from a Spam message Good luck
  there!!
• Do not follow links that are sent via e-mail,
  Instant Messenger, etc
• It is not a new Bin Laden video
• It is not from your friends
• Store your personal data in an encrypted folder
• Download free version of PGP http//www.pgp.com
• Or the Open Source version GnuPG
• Do not shop online at sites that are not
  trustworthy
• Do not give out any more information than needed

27
How can I protect my Kids?

• My Kids are the students here I assume they
  are adults and we essentially do not filter
  behavior
• Real Kids are not
• The Internet will expose them to all of the
  knowledge of the world, from the very good to the
  very bad
• And it is not going to go away or get better
• Education and information!!
• Have an open dialog so they can make the best
  choices
• Install NetNanny or one of the other filters
• In short Draw a line in the sand and do not
  deviate For younger kids - if you feel you need
  to monitor chat-rooms, then you simply should
• At some point they are capable of making their
  decisions
• Remember Every weirdo has access to the Internet

28
Staying Anonymous on the Internet

• Part of protecting your privacy is done by being
  private
• Thinking of posting your religious, political,
  poorly worded, disgusting, repetitive or
  offensive view? Using your real name?
• What will a future employee see about you on the
  Internet?
• Avoid breaking the law court results are
  public information
• I may meet you on the Internet and you will
  never know
• BAD NEWS This is only going to get worse
• IDEA Name your baby John Smith or Ann Kelly

29
Questions?