LECTURE 10: LEGAL AND CRITICAL ISSUES IN COMPUTER SECURITY

INTRODUCTION

To know what protection the provides for computer and data to appropriate laws that protect the right of other with respect to computer, program and data, and to understand how existing laws provide a basis for recommending new laws to protect computers, data and computer.

Law is not always the appropriate way to deal with issues of human behavior.

Differences between LAWS and ETHICS

Laws
  • Described by formal, written laws
  • Interpreted by court
  • Established by legislature representing everyone
  • Applicable to everyone
  • Priority determined by courts if two laws conflict
  • Court is final arbiter of right
  • Enforceable by police and court

Ethics
  • Described by unwritten principles
  • Interpreted by individuals
  • Presented by philosophers, religions, professionals group
  • Personal choice
  • Priority determined by individuals if two principles conflict
  • Limited enforcement
Protecting Programs and Data


Copyrights


- Are design to protect the expression and data.
- Applied to creative work such as story
- Intended to allow regular and free exchange of ideas.
- Must be apply to any original work and it must be in some tangible medium of expression.
- Grant to the original of the expression.
- Can also be granted for work which contains some public domain material as long as there is some originally, without the need for the author to identify what is public and what is original.

Patents

- Different from copyrights in that it applies to the results of science, technology and engineering.
- Can protect a new and useful process, machine, manufacture or composition of matter.
-Designed to protect the device or process for carrying out an idea
- Can valid only for something that is truly novel or uniques
-Granted to who invented it first, regardless who filed the invention first.
- The patents applicant has to reveal what is novel about the invention
- The patents owner then will use the patented invention by producing or by licensing others to produce them.

Trade Secret

A trade secret is information that gives one company a competitive edge over others. For example, the formula for a soft drink is a trade secret, as is a mailing list of customers, or information about a product due to be announced in a few months.

The distinguishing characteristic of a trade secret is that it must always be kept secret. The owner must take precautions to protect the secret, such as storing it in a safe, encrypting it in a computer file, or making employees sign a statement that they will not disclose the secret.
Trade secret protection applies very well to computer software.

The underlying algorithm of a computer program is novel, but its novelty depends on nobody else’s knowing it.

Trade secret protection allows distribution of the result of a secret (the executable program) while still keeping the program design hidden.
Trade secret protection does not cover copying a product (specifically a computer program), so that it cannot protect against a pirate who sells copies of someone else’s program without permission.

However, trade secret protection makes it illegal to steal a secret algorithm and use it in another product.


Why Computer Crime is Hard to Define?
Understanding
*Neither courts, lawyers, police agents, nor jurors necessarily understand computers.

Fingerprints
*Polices and courts for years depended on tangible evidence, such as fingerprints. But with many computer crimes there simply are no fingerprints, no physical clues.
Form of Assets
*We know what cash is, or diamonds, or even negotiable securities. But are 20 invisible magnetic spots really equivalent to a million dollars?

Juveniles
*Many computer crimes involve juveniles. Society understands immaturity and can treat even very serious crimes by juveniles as being done with less understanding than when the same crime is committed by an adult.

Type of Crimes Committed

Telecommunications Fraud
*It is defined as avoiding paying telephone charges by misrepresentation as a legitimate user.

Embezzlement
*It involves using the computer to steal or divert funds illegally.

Hacking
*It denotes a compulsive programmer or user who explores, tests, and pushes computers and communications system to their limits - often illegal activities.

Automatic Teller Machine Fraud
*It involves using an ATM machine for a fraudulent activity - faking deposits, erasing withdrawals, diverting funds from another person’s account through stolen PIN numbers.

Records Tampering
*It involves the alteration, loss, or destruction of computerised records.

Acts of Disgruntled Employees
*They often use a computer for revenge against their employer.

Child Pornography and Abuse
*They are illegal or inappropriate arts of a sexual nature committed with a minor or child, such as photographing or videotaping.

Drug Crimes
*Drug dealers use computers to communicate anonymously with each other and to keep records of drug deals.

Organised Crime
*For all kinds of crime, the computer system may be used as their tools.


Summary


Firstly, the legal mechanisms of copyright, patent, and trade secret were presented as means to protect the secrecy of computer hardware, software and data.

However, these mechanisms were designed before the invention of computer, so their applicability to computing needs is somewhat limited.

Meanwhile, program protection is especially desired, and software companies are pressing the courts to extend the interpretation of these means of protection to include computers.

Secondly, relationship between employers and employees, in the context of writers of software. Well-established laws and precedents control the acceptable access an employee has to software written for a company

Thirdly, some difficulties of in prosecuting computer crime. In general, the courts have not yet granted computers, software, and data appropriate status considering value of assets and seriousness of crime. The legal system is moving cautiously in its acceptance of computers.

What are Ethics?

Society relies on ethics or morals to prescribe generally accepted standards of proper behaviour.

An ethic is an objectively defined standard of right and wrong within a group of individuals.

These ethics may influence by religious believe. Therefore, through choices, each person defines a personal set of ethical practices.

A set of ethical principles is called and ethical system.

Differences of The Law and Ethics

Firstly, laws apply to every one, even you do not agree with the laws. However, you are forced to respect and obey the laws.

Secondly, there is a regular process through the courts for determining which law supersedes which if two laws conflict.

Thirdly, the laws and the courts identify certain actions as right and others as wrong. From a legal standpoint, anything that is not illegal is right.

Finally, laws can be enforced, and there are ways to rectify wrongs done by unlawful behaviour.

Contrast of Law Versus Ethics










LECTURE 9: INTRUSION DETECTION SYSTEM

Intruders
Security Intrusion & Detection

Types of IDS
*HIDS
*NIDS
*DIDS
IDS Techniques
SNORT
Honeypots

An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling computer systems, mainly through a network, such as the Internet. These attempts may take the form of attacks, as examples, by crackers, malware and/or disgruntled employees. An IDS cannot directly detect attacks within properly encrypted traffic.

An intrusion detection system is used to detect several types of malicious behaviors that can compromise the security and trust of a computer system. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and worms).

An IDS can be composed of several components: Sensors which generate security events, a Console to monitor events and alerts and control the sensors, and a central Engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received. There are several ways to categorize an IDS depending on the type and location of the sensors and the methodology used by the engine to generate alerts. In many simple IDS implementations all three components are combined in a single device or appliance.

IDS Terminology
Alert/Alarm- A signal suggesting a system has been or is being attacked [1].

True attack stimulus- An event that triggers an IDS to produce an alarm and react as though a real attack were in progress [1].

False attack stimulus- The event signaling an IDS to produce an alarm when no attack has taken place [1].

False (False Positive)- An alert or alarm that is triggered when no actual attack has taken place [1].

*False negative- A failure of an IDS to detect an actual attack.

*Noise- Data or interference that can trigger a false positive .

*Site policy- Guidelines within an organization that control the rules and configurations of an IDS .

*Site policy awareness- The ability an IDS has to dynamically change its rules and configurations in response to changing environmental activity .

*Confidence value- A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack .

*Alarm filtering- The process of categorizing attack alerts produced from an IDS in
order to distinguish false positives from actual attacks.

Types of Intrusion-Detection systems
There are three main types of systems in which IDS can be used : network, applications and hosts.

In a network-based intrusion-detection system (NIDS), the sensors are located at choke points in network to be monitored, often in the demilitarized zone (DMZ) or at network borders. The sensor captures all network traffic and analyzes the content of individual packets for malicious traffic.

In systems, PIDS and APIDS are used to monitor the transport and protocols for illegal or inappropriate traffic or constructs of a language. For example forged SQL queries attempting to delete database records, virus in emails.

In a host-based system, the sensor usually consists of a software agent, which monitors all activity of the host on which it is installed. For example attempt to modify the master boot record, keylogger, file access.

Hybrids for the two later systems also exist.

Network intrusion detection system (NIDS)

It is an independent platform which identifies intrusions by examining network traffic and monitors multiple hosts. Network Intrusion Detection Systems gain access to network traffic by connecting to a hub, network switch configured for port mirroring, or network tap. An example of a NIDS is Snort.

Protocol-based intrusion detection system (PIDS)

It consists of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication protocol between a connected device (a user/PC or system) and the server. For a web server this would typically monitor the HTTPS protocol stream and understand the HTTP protocol relative to the web server/system it is trying to protect. Where HTTPS is in use then this system would need to reside in the "shim", or interface, between where HTTPS is un-encrypted and immediately prior to its entering the Web presentation layer.

Application protocol-based intrusion detection system (APIDS)
It consists of a system or agent that would typically sit within a group of servers, monitoring and analyzing the communication on application specific protocols. For example, in a web server with a database this would monitor the SQL protocol specific to the middleware/business logic as it transacts with the database.

Host-based intrusion detection system (HIDS)
It consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability/acl databases) and other host activities and state. An example of a HIDS is OSSEC.

Hybrid intrusion detection system
It combines two or more approaches. Host agent data is combined with network information to form a comprehensive view of the network. An example of a Hybrid IDS is Prelude.

Intrusion detection systems can also be system-specific using custom tools and honeypots.

LECTURE 8: FIREWALL

Firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all (in and out) computer traffic between different security domains based upon a set of rules and other criteria.

Firewalls can be implemented in either hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

There are several types of firewall techniques:

1. Packet filter: Packet filtering inspects each packet passing through the network and accepts or rejects it based on user-defined rules. Although difficult to configure, it is fairly effective and mostly transparent to its users. In addition, it is susceptible to IP spoofing.
2. Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation.
3. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.
4. Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.

LECTURE 7: WIRELESS SECURITY

Wireless LANs
IEEE ratified 802.11 in 1997.
-Also known as Wi-Fi.
Wireless LAN at 1 Mbps & 2 Mbps.
WECA (Wireless Ethernet Compatibility Alliance) promoted Interoperability.
-Now Wi-Fi Alliance
802.11 focuses on Layer 1 & Layer 2 of OSI model.
-Physical layer
-Data link layer

A wireless local area network (WLAN) links two or more devices using some wireless distribution method (typically spread-spectrum or OFDM radio), and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network.

Wireless LANs have become popular in the home due to ease of installation, and the increasing popularity of laptop computers. Public businesses such as coffee shops and malls have begun to offer wireless access to their customers; sometimes for free.

Types of wireless LAN

::Peer to peer::
An ad-hoc network is a network where stations communicate only peer to peer (P2P). There is no base and no one gives permission to talk. This is accomplished using the Independent Basic Service Set (IBSS).

A peer-to-peer (P2P) network allows wireless devices to directly communicate with each other. Wireless devices within range of each other can discover and communicate directly without involving central access points. This method is typically used by two computers so that they can connect to each other to form a network.

If a signal strength meter is used in this situation, it may not read the strength accurately and can be misleading, because it registers the strength of the strongest signal, which may be the closest computer.
IEEE 802.11 define the physical layer (PHY) and MAC (Media Access Control) layers based on CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance). The 802.11 specification includes provisions designed to minimize collisions, because two mobile units may both be in range of a common access point, but out of range of each other.

The 802.11 has two basic modes of operation: Ad hoc mode enables peer-to-peer transmission between mobile units. Infrastructure mode in which mobile units communicate through an access point that serves as a bridge to a wired network infrastructure is the more common wireless LAN application the one being covered. Since wireless communication uses a more open medium for communication in comparison to wired LANs, the 802.11 designers also included shared-key encryption mechanisms: Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA, WPA2), to secure wireless computer networks.

::Bridge::

A bridge can be used to connect networks, typically of different types. A wireless Ethernet bridge allows the connection of devices on a wired Ethernet network to a wireless network. The bridge acts as the connection point to the Wireless LAN.

::Wireless distribution system::

A Wireless Distribution System is a system that enables the wireless interconnection of access points in an IEEE 802.11 network. It allows a wireless network to be expanded using multiple access points without the need for a wired backbone to link them, as is traditionally required. The notable advantage of WDS over other solutions is that it preserves the MAC addresses of client packets across links between access points.

An access point can be either a main, relay or remote base station. A main base station is typically connected to the wired Ethernet. A relay base station relays data between remote base stations, wireless clients or other relay stations to either a main or another relay base station. A remote base station accepts connections from wireless clients and passes them to relay or main stations. Connections between "clients" are made using MAC addresses rather than by specifying IP assignments.

All base stations in a Wireless Distribution System must be configured to use the same radio channel, and share WEP keys or WPA keys if they are used. They can be configured to different service set identifiers. WDS also requires that every base station be configured to forward to others in the system.

WDS may also be referred to as repeater mode because it appears to bridge and accept wireless clients at the same time (unlike traditional bridging). It should be noted, however, that throughput in this method is halved for all clients connected wirelessly.

When it is difficult to connect all of the access points in a network by wires, it is also possible to put up access points as repeaters.

WPA and WEP

WPA and WEP are technologies that "encrypt" the traffic on your network. That is, they scramble it so that an attacker can't make any sense of it. To unscramble it at the other end, all systems using it must know a "key" or password.

Note that WPA is now in a second generation, referred to as WPA2. Unless otherwise specified, this document uses "WPA" to refer to both.

WPA and WEP provide both access control and privacy. Privacy comes from the encryption. Access control comes from the fact that someone must know the password to use your network.

For this reason, for small networks, using WPA is enough to meet the requirements of the Wireless policy. However you will still want to make sure that any services that use a password or other private information use SSL or some other type of end to end encryption.

WEP is significantly less secure than WPA, but can be used until your equipment can be upgraded to support WPA. While WEP is widely regarded as insecure, it is still a lot better than nothing.

WPA has two modes, personal and enterprise. For small installations you'll want to use personal mode. It just requires a password. Enterprise mode is for larger installations, that have a Radius server that will support WPA.

The primary problem with WPA in personal mode is that it has a single password, which you must tell to all users. That becomes impractical for larger installations.

WPA in enterprise mode requires each user to login with their own username and password. That simplifies management in large installations, because you don't have to distribute a common password to all your users. However it is a bit more complex to implement:

* Each user's system must have special software to let the user login to the network. This software is referred to as an "802.1x supplicant".
* The access point must support WPA enterprise mode. The access point is configured to talk to a RADIUS server, which is a central server that actually checks the password.
* You must have a RADIUS server that supports WPA enterprise mode. While the RADIUS server may have its own list of usernames and passwords, it would be more common for it to talk to an LDAP or Active Directory server, so that users login to the network with the same password that they use for other services.

For this reason, most large implementations at Rutgers do not use enterprise mode. Instead they use separate gateway boxes for access control, and depend upon end to end encryption for privacy. One can argue that this is not as secure as WPA enterprise mode, but it avoids the support implications of requiring users to login to the network with an 802.1x supplicant.
Choosing a good password

It is critical to use a good password. There are attacks against WPA that will break your security if your password uses words or any other well-known sequences. WPA allows passwords as long as 63 characters. We strongly recommend using a long random password, or at the very least a long phrase (at least 20 characters, but preferably longer). The phrase should not be taken from any web site or published work. Most software saves the password, so you only need to type it once on each system.

Even better than a long phrase is a truly random password. For example, consider using http://rulink.rutgers.edu/random.php3. This generates a random 32-character hex string. You can combine two of them (and leave off one character) to get a 63-character password.


LAB 6 - Security in Network

This week, we are given 2 tasks which are:


Task 1: Capture FTP username and password
Task 2: Using IPSec to secure FTP Transaction

Capturing File Transfer Protocol (FTP) username and password

Step 1: Start your virtual machine containing winserv03_server and winserv03_client.

Step 2: Login as Administrator

Step 3: Set the IP address of your winserv03_server and winserv03_client as below.

winserv03_server = 192.166.1.106
winserv03_client = 192.166.1.105


On winserv03_server:

Step 4: Check that your winserv03_server is already installed with FTP server and Wireshark. If FTP server installed than start the FTP service using [Start] | [Administrative tools] | [Internet Information Services (IIS)] otherwise you need a Windows Server 2003 CD to installed Internet Information Services (IIS) with FTP.






Step 5: Whereas if wireshark is not install then it can be downloaded for free from http://www.wireshark.org.

Step 6: If it is installed then open Wireshark on winserv03_server. [Start] | [Program] | [Wireshark].



Step 7: Click on [Capture] | [Interfaces] to choose the network interfaces you wanted to monitor, refer figure 6.4. Choose the network interfaces that has an IP number 0f 192.168.1.106, click [Start], refer figure 6.5.











On winserv03_client

Step 8:On winserv03_client VM open a command prompt, login to FTP server on winserv03_server using the following command.








 



 On winserv03_server

Step 9:
As your login view the Wireshark interface on winserv03_server VM, you will notice that the username and password that you used to login to the FTP server from the winserv03_client side is clearly seen on the monitor. Capture the screen of your Wireshark output using print screen button on your keyboard.

Step 10:
To simulate this on the real environment you need two computers connected via a cross cable.





Using IPSec to secure FTP transaction


On winserv03_server

Step 1:
Click [Start] | [Run] and then type mmc.

Step 2:
Management Console will appear and then, on the menu bar click [File] | [Add/Remove snap-in].

Step 3:
On the Add/Remove Snap-in box, click [Add] button and select the [IP Security Monitor] and click [OK].


Step 4:
Repeat step 3 by selecting IP Security Policy Management on Local Machine and then click [Finish].

Step 5:
On the Add/Remove Snap-in, click [OK].

Step 6: In the right pane, right-click on [Secure Server (Require Security)] | [Properties].

Step 7: I
n the Secure Server (Require Security) Properties dialog box, highlight All IP Traffic and click [Edit].


Step 8: On the Edit Rule Properties dialog box, select the Authentication Method tab. Click add and screen New Authentication Method Properties will appear. Select Use this string (preshared key) and then type MSPRESS in the scroll box, then click OK. Make sure your client preshared key must be same as server preshared key

Step 9:
Highlight the Preshared Key and click the [Move up] button to make the preshared key as a first priority for the authentication. Click [Apply] | [OK].

Step 10:
Click [OK] on the [Secure Server (Require Security)] Properties dialog box and close it.

Step 11: Right-click on [Secure Server (Require Security)], and click [Assign] from the pop-up menu.



 
On winserv03_client

Step 12: Click [Start] | [Run] and then type mmc.

Step 13: Management Console will appear and on the menu bar click [File] | [Add/Remove snap-in].

Step 14: On the Add/Remove Snap-in box, click [Add] button and select the [IP Security Monitor] and click [OK].

Step 15: Repeat step 3 by selecting IP Security Policy Management on Local Machine and then click [Finish].

Step 16: On the Add/Remove Snap-in, click [OK].

Step 17: In the right pane, right-click on [Secure Server (Require
Security)] | [Properties].


Step 18: In the Client (Response Only) Properties dialog box, highlight and click [Edit].


















LAB 5- Web Application Security

On this lab, we need to describe the flaw of web application and how it is exploited. Besides that, we also have to exploit the web vulnerabilities. After that, we need to list prevention method that can be taken to overcome web application vulnerabilities.


WHAT IS WEB APPLICATION SECURITY??

Web application or simply called webapp is an application that can be accessed using a web browser over a network, either the Internet or within the Local Area Network. It is developed using browser-supported language such as HTML, JavaScript, PHP, ASP and etc. The script produced is then rendered by common web browser. Web application let user to access application or system anywhere and at any time provided the user is connected to a network connection and there is a web browser installed on the machine. This ease of usage makes webapp popular among Internet user. Moreover the ability to update and maintain web applications without distributing and installing software on potentially thousands of client computers contribute to the popularity of the webapp. Nowadays webapp is used for accessing mail, online banking, online shopping, online reservation, wikis and many other functions.

An increase in the usage of web applications is directly related to an increase in the number of security incidents for them. Even though the server is patch with the latest version of the software, the network are installed with the latest firewall system and Intrusion detection system is deployed to monitor the network, if the web application itself is lack of security features the vital information stored in its content is still expose to intrusion. A Web application system should be carefully and safely develop because it is the first line of defense, any fault or flaws in it development stage, the server configuration and even the scripting used in it development can bring a major loop hole that can be manipulated by intruder to be used as the backdoor to the entire network.

WebGoat and WebScarab

WebGoat = Simulation toolkit used to demonstrate how we can exploit the vulnerabilities of a poorly design web application.

WebScarab = Tool for everyone who need to expose the working of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that application has been designed or implemented.

Web Application Hacking simulation using WebGoat and WebScarab


Step 1: Copy the WebGoat-OWASP_Standard-5.2.zip and extract it to the C:\ drive.
Step 2: Open the C:\ WebGoat-5.2 folder and open the webgoat.bat to start the apache tomcat J2EE.


Step 3:Open an IE 6.0 web browser or a firefox web browser and type http://localhost/WebGoat/attack.



Step 4: Login as User Name: guest Password: guest


Step 5: Open webscarab-selfcontained-20070504-1631.jar

Step 6: If the WebScarab does not open do install the JDK module (jdk-6u4-windows-i586-p.exe) to your computer.

Step 7: Once the WebScarab started, you should see the interface as figure 5.4



Step 8: Next Configure the Web browser proxy starting so that it listen to 127.0.0.1 (localhost) port 8008.

Step 9: Go to WebScarab and click on the intercept tab and enable the intercept request checkbox but disable the intercept response checkbox. This will enable the intercept features of the WebScarab in which it will intercept any request signal from the web browser.



Step 10: Close your previous web browser, open it again and type in http://localhost/WebGoat/attack.

Step 11: WebScarab will intercept your request to visit the website by prompting an Edit request window as depicted in figure 5.6. This prompted window shows the request data that you send to the web server.




Step12: The text field indicated by the arrow shows the text field containing the data you send to the web server and it can be modified.(in some of the following task you need to modified the content of the text field to help you solve the problem in lesson.

Step13: For this task do not changes the text field value just click the [Accept changes] button to view the WebGoat main page.

Step 14: Each time you click on a submit button or a link on the webpage, the Edit request window will always appear, so make sure you click on Accept changes button to view your request page display on the browser.


Getting started with WebGoat and WebScarab

Step 1: Click on [Start WebGoat]



Step 2: Click on the Introduction | How to work with WebGoat menu.




Step 3: Read and follow the instruction given in the WebGoat.


XSS Attack

Step 1: Click on the Cross Site Scripting (XSS) | Phising with XSS menu



Step 2: Apply the script below to the text field in order to create a false login page so that you can harvest the username and password keyed in by the user.




Step 3: Once you hit the Search button you will see a comment page containing a place for you to login. This login page is created using the java script above.

Step 4: Try login in with any username and password; if this is a real phishing website you would not get the prompted message on your screen but the value you supplied might be send across the world to a server that gather the login information.

Step 5: Next click on the Cross Site Scripting (XSS) | Reflected XSS Attacks menu.

Step 6: In this lesson some prevention mechanism has been build in the script, some field have a validation toward the character you supplied. It will reject any tag symbol you used, however there are still some that is not protected. By using the script below find which the text field that can be exploited using XSS attack?



Injection Flaws

Step 1: Click on the Injection Flaws | Numeric SQL Injection menu, refer figure 5.10.



Step 2: From the combo list choose a weather station and click the [Go!] button, (Do not forget to click on the accept changes button of the edit request windows) you will get the information for the country you select.

Step 3: To apply the Injection flaws you need to choose a new country and click [Go!] button. Before clicking the [Accept changes] button on the edit request windows, in the [URLEncoded] tab, add the value station variable with


This is input is a numerical value, refer figure 5.11



Step 4: Once the value is changed, click [Accept changes] button. The entire data is displayed on the screen. This shows that by manipulating the input field that is not properly design we can display the entire data in the database.



Step 5: Repeat this task on the Injection Flaws | String SQL Injection. Use the right input for this problem and compare the result. (Hint: The input should be a string).


Malicious File Execution

Step 1: Click on the Injection Flaws | Command Injection menu, refer figure 5.14.




Step2: By choosing the lesson plan to view and clicking on [View] button, user will be shown the content of the lesson. This exercise will manipulate the input field by adding the input with a command line instruction.

Step 3: Select a new lesson and click [View]. Before clicking the [Accept changes] button add the following command to your HelpFile variable value





This command will display directory list and network configuration setup.

Step 4: Once you click the [Accept changes] button the following output will be displayed on the screen.





LECTURE 6: Security in Applications

EMAIL SECURITY


E-Mail 

  • One of the most heavily used network-based applications.
  • Have sender and receiver. However, the receiver is not online.
  • Some email system only can deliver ASCII codes.
Pretty Good Privacy (PGP)

  • Developed by Phil Zimmermann
  • Uses public key encryption, signature scheme, hash function, secret key encryption, compression function and email compatibility.


S/MIME = Secure/Multipurpose Internet Mail Extension 


  • Another security enhanced email system.
  • Similar to PGP which is uses signature scheme, session key and secret key encryption.

Function of S/MIME:


  • Enveloped data
  • Signed data
  • Clear-signed data
  • Signed and enveloped data

Applications of Email Security

  • PGPmail
  • Expressmail
  • POTP Securemail
  • SecretAgent
  • Safe-mail
  • PrivacyX
  • Stealth Messages
  • YNN
  • HyperSend


WEB SECURITY

Includes three parts which are security of server, security of client and network traffic security between a browser and a server.

Network security can considered at different levels, examples:

  • Network level: Use IPSec
  • Transport level: Use SSL or TLS
  • Application level: Use PGP, S/MIME or SET

Secure Socket Layer (SSL)

  • Developed by Netscape
  • Main part of SSH contain several protocol which are SSL Handshake Protocol, SSL Change Cipher Spec Protocol, SSL Alert Protocol and SSL Record Protocol
  • Basically, SSH is used to secure the transmission between a client and server.

Secure Electronic Transaction (SET)

  • Open encryption and security specification designed to protect credit card transaction on the Internet. 
Features:

  • Confidentiality of information
  • Integrity of data
  • Cardholder account authentication
  • Merchant authentication

Participants:
  • Cardholder
  • Merchant
  • Issuer
  • Acquirer
  • Payment gateway
  • Certification authority
 
The sequence of events required for a transaction are as follows:
  1. The customer obtains a credit card account with a bank that supports electronic payment and SET
  2. The customer receives an X.509v3 digital certificate signed by the bank.
  3. Merchants have their own certificates
  4. The customer places an order
  5. The merchant sends a copy of its certificate so that the customer can verify that it's a valid store
  6. The order and payment are sent
  7. The merchant requests payment authorization
  8. The merchant confirms the order
  9. The merchant ships the goods or provides the service to the customer
  10. The merchant requests payment

SECURITY AND HTTP

  • By default, HTTP not hugely secure
  • It does not support for HTTP-authentication















LECTURE 5: Security in Network

INTRODUCTION

Computer Networks = Interconnected collection of autonomous computers.

CLASSIFICATIONS OF NETWORKS

Broadcast Networks

Single communication channel tat is shared by all the machines on the network
Allow the possibility of addressing a packet to all destinationd by using a special code in the address field.
When a packet with this code is transmitted, it is received and processed by every machine in the network. This is called broadcasting.

Point-to-Point Networks

Consist of many connections  between individuals pairs of machines.
From source to destination, a packet may have to first visit one or more intemediate machines.
Often multiple routes of different lengths are possible, so routing algorithms play an important role in point-to-point networks.

Distance is important as a classification metric because different techniques are used at different scales


Local Area Networks (LAN)

  • Georgraphically close group of computers that can talk to each other.
  • Privately-owneed networks within a single building or campus of up to a few kilometres in size.
  • Wide;y used to connect personal computers and workstations in company offices or factories to share resources

Metropolitan Area Networks (MAN)

  • Bigger version of LAN.
  • Normally uses similar technology
  • Might cover a group of nearby corporate offices or a city and might be either private or public
  • Can support both data and voice and might even be related to the local cable television network.

Wide Area Networks (WAN)

Spans a large geographical area, often a country or continent.and often associated with a large organization.
Can be made up of any combination and numbrs of WANs, LANs or single computers.


NETWORK TOPOLOGY

Star



Ring





Mesh



Bus




OSI MODEL




WHO CAN CAUSE SECURITY PROBLEMS??

  • Student - Have fun snooping on people's email
  • Hacker - Test out someone's security system
  • Sales rep - Claim to represent all of Europe not just Androrra
  • Businessman - Discover a competitor's strategic marketing plan
  • Ex-employee - Get revenge for being fired
  • Accountant - Embezzle money from a company
  • Stockbroker - Deny a promise made to a customer by email
  • Con-man - Steal credit card numbers for sale
  • Spy - Learn an enemy's military strength
  • Terrorist - Steal germ warfare secret

INTERTWINED AREAS IN NETWORK SECURITY PROBLEMS

  • Secrecy
  • Authentication
  • Non-Repudiation 
  • Integrity Control 

NETWORK SECURITY ISSUES

  • Sharing
  • Complexity of System
  • Unknown perimeter
  • Many points of Attack
  • Unknown Path

SECURITY EXPOSURE


  • Privacy
  • Data Integrity
  • Authenticity
  • Covert Channels

NETWORK SECURITY THREATS

Threats = circumstances, condition, or event with the potential to cause harm to personnel and/or network resources in the form of destruction, disclosure, modification of data, denial of service or fraud, waste and abuse.Network security threats include impersonation, eavesdropping, denial of service, packet relay and packet modification.

Impersonating 

Common ways to identify and authenticate users include the use of physical keys, account names and passwords and biometrics checks.

Eavesdropping

Allows cracker to make a complete transcript of network activity. As a result, a cracker can obtain sensitive information, such as passwords.

Denial of Service

Multi-user, multi-tasking operating system are subject to DoS attacks where one user can user can render the system unusable for legitimate users by "hogging" a resource or damaging or destroying resources so that they cannnot be used.Three common form of network DoS attacks are service overloading, message floading and signal floading.

Packet Relay

Refers to the recording and re-transmission of message packets in the network. It is a significant threat for programs that require authentication sequences.

Packet Modification

Significant integrity threat, which involves one system intercepting and modifying a packet destined for another system.


NETWORK SECURITY CONTROL


Encryption = technique used to safeguard information while it is stored within a network node.
  
Link Encryption VS End-to-end Encryption

Security within hosts
                        Msg exposed in sending host                  Msg encrypted in sending host                   
                        Msg exposed in intermediate nodes        Msg encrypted in intermediate nodes

Roles of User
                        Applied by sending host                                             Applied by sending process
                        Invisible to user                                                          User applies encryption
                        Host maintains encryption                                           User must find algorithm
                        One facility for all users                                               User selects encryption
                        Can be done in harware                                              Software implementation
                        All or no msg encryption                                             User chooses to encrypt or not

Implementation Concerns
                       Requires one key per host pair                                         Requires one key per user pair
                       Provides node authentication                                            Provides user authentication


Access Control


  • Port protection
  • Automatic Call-back
  • Differentiated Access Rights
  • Node Authentication

User Authentication

  • Password
  • Challenge-response system


Authentication in Distributed System

  • Kerberos



Firewall Characteristics

  • Entire All relation link or activity from within out have to pass firewall.
  • Done or Conducted by block limiting either through physical all accessing to local and also in configuration.
  • Only enlisted activity recognized which can pass firewall by arranging policy of at local security.
  • Have to tie or strong relative to attack weakness.

Types of firewall


  • Screening router
~Simplest
~Sees only addresses and service protocol type
~Auditing difficult
~Screens based on connection rules
~Complex addressing rules can make configuration tricky

  • Proxy gateways
~Somewhat complex
~Sees full text of communication
~Can audit activity
~Screes based on behavior of proxies
~Simple proxies can substitute for complex addressing rules

  • Guards
~Most complex
~Sees full text of communications
~Can audit activity
~Screens based on interpretation of msg content
~Complex guard functionality can limit assurance


Intrusion Detection System (IDS)

  • Device or software tools or hardware tools that monitor activity to identify malicious or suspicious events.
  • Use to detect unauthorized access to a computer or network.
  • Required to detect all type of malicious network traffic and computer usage.
  • Compose of several components which are sensor, console and engine.
  • Correcting system configuration error
  • Installing and operating traps to record information about intruders

Types of IDS

  • Signature-based Intrusion Detection
  • Heuristic Intrusion Detection






















 

©2009 W0rLD of CoMputer ScieNce | by TNB