Introduction
Legal and Ethical
Categories of law
Differences between legal and Ethic
Ethics concept in Information Security
Protecting programs and Data
Information and Law
Objectives of Understanding Legal Section
Therefore, there are three motivations for studying the legal section
to know what protection the law provides for computers and data;
to appreciate laws that protect the rights of others with respect to computers, programs, and data; and
to understand existing laws as a basis for recommending new laws to protect computers, data, and people.
::->There are three common used ways to provide protections by laws:
@Copyright
Copyright gives the author/programmer exclusive right to make copies of the expression and sell them to the public. That is, only the author can sell copies of the author’s book (except, of course, for booksellers or others working as the agents of the author).
Copyrights for Computer Works
The algorithm is the idea, and the statements of the programming language are the expression of the idea.
Therefore, protection is allowed for the program statements themselves, but not for the design: copying the code intact is prohibited, but reimplementing the algorithm is permitted.
Examples of Copyrights
A second problem with the copyright protection for computer works is the requirement that the work be published.
A program may be published by distributing copies of its object code, for example on a disk. However, if the source code is not distributed, it has not been published.
An alleged infringer cannot have violated a copyright on source code if the source code was never published.
A copyright controls the right to copy and distribute; it is not clear that allowing distributed access is a form of distribution in distributed system.
@Patent
Patents are unlike copyrights in that they protect inventions, not works of the mind.
The distinction between patents and copyrights is that patents were intended to apply to the results of science, technology, and engineering, whereas copyrights were meant to cover works in the arts, literature, and written scholarship.
The patents law excludes newly discovered laws of nature … [and] mental processes.
Computer Objects
The patent has not encouraged patents of computer software.
For a long time, computer programs were seen as the representation of an algorithm was a fact of nature, which is not subject to patent.
There was a case on a request to patent a process for converting decimal numbers into binary. The Supreme Court rejected the claim, saying it seemed to attempt to patent an abstract idea, in short, an algorithm. But the underlying algorithm is precisely what most software developers would like to protect.
@Trade Secret
A trade secret is information that gives one company a competitive edge over others. For example, the formula for a soft drink is a trade secret, as is a mailing list of customers, or information about a product due to be announced in a few months.
The distinguishing characteristic of a trade secret is that it must always be kept secret. The owner must take precautions to protect the secret, such as storing it in a safe, encrypting it in a computer file, or making employees sign a statement that they will not disclose the secret.
Trade secret protection applies very well to computer software.
The underlying algorithm of a computer program is novel, but its novelty depends on nobody else’s knowing it.
Trade secret protection allows distribution of the result of a secret (the executable program) while still keeping the program design hidden.
Trade secret protection does not cover copying a product (specifically a computer program), so that it cannot protect against a pirate who sells copies of someone else’s program without permission.
However, trade secret protection makes it illegal to steal a secret algorithm and use it in another product.
Why Computer Crime is Hard to Define?
Understanding
*Neither courts, lawyers, police agents, nor jurors necessarily understand computers.
Fingerprints
*Polices and courts for years depended on tangible evidence, such as fingerprints. But with many computer crimes there simply are no fingerprints, no physical clues.
Form of Assets
*We know what cash is, or diamonds, or even negotiable securities. But are 20 invisible magnetic spots really equivalent to a million dollars?
Juveniles
*Many computer crimes involve juveniles. Society understands immaturity and can treat even very serious crimes by juveniles as being done with less understanding than when the same crime is committed by an adult.
Type of Crimes Committed
Telecommunications Fraud
*It is defined as avoiding paying telephone charges by misrepresentation as a legitimate user.
Embezzlement
*It involves using the computer to steal or divert funds illegally.
Hacking
*It denotes a compulsive programmer or user who explores, tests, and pushes computers and communications system to their limits - often illegal activities.
Automatic Teller Machine Fraud
*It involves using an ATM machine for a fraudulent activity - faking deposits, erasing withdrawals, diverting funds from another person’s account through stolen PIN numbers.
Records Tampering
*It involves the alteration, loss, or destruction of computerised records.
Acts of Disgruntled Employees
*They often use a computer for revenge against their employer.
Child Pornography and Abuse
*They are illegal or inappropriate arts of a sexual nature committed with a minor or child, such as photographing or videotaping.
Drug Crimes
*Drug dealers use computers to communicate anonymously with each other and to keep records of drug deals.
Organised Crime
*For all kinds of crime, the computer system may be used as their tools.
Summary
Firstly, the legal mechanisms of copyright, patent, and trade secret were presented as means to protect the secrecy of computer hardware, software and data.
However, these mechanisms were designed before the invention of computer, so their applicability to computing needs is somewhat limited.
Meanwhile, program protection is especially desired, and software companies are pressing the courts to extend the interpretation of these means of protection to include computers.
Secondly, relationship between employers and employees, in the context of writers of software. Well-established laws and precedents control the acceptable access an employee has to software written for a company
Thirdly, some difficulties of in prosecuting computer crime. In general, the courts have not yet granted computers, software, and data appropriate status considering value of assets and seriousness of crime. The legal system is moving cautiously in its acceptance of computers.
What are Ethics?
Society relies on ethics or morals to prescribe generally accepted standards of proper behaviour.
An ethic is an objectively defined standard of right and wrong within a group of individuals.
These ethics may influence by religious believe. Therefore, through choices, each person defines a personal set of ethical practices.
A set of ethical principles is called and ethical system.
Differences of The Law and Ethics
Firstly, laws apply to every one, even you do not agree with the laws. However, you are forced to respect and obey the laws.
Secondly, there is a regular process through the courts for determining which law supersedes which if two laws conflict.
Thirdly, the laws and the courts identify certain actions as right and others as wrong. From a legal standpoint, anything that is not illegal is right.
Finally, laws can be enforced, and there are ways to rectify wrongs done by unlawful behaviour.
Contrast of Law Versus Ethics
Thursday, October 22, 2009
LEC 10:: Legal and Ethical Issues in Computer Security
Posted by SeCuRiTy LiFe.. at 6:23 PM 0 comments
LEC 9:: Intrusion Detection System
Intruders
Security Intrusion & Detection
Types of IDS
*HIDS
*NIDS
*DIDS
IDS Techniques
SNORT
Honeypots
An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling computer systems, mainly through a network, such as the Internet. These attempts may take the form of attacks, as examples, by crackers, malware and/or disgruntled employees. An IDS cannot directly detect attacks within properly encrypted traffic.
An intrusion detection system is used to detect several types of malicious behaviors that can compromise the security and trust of a computer system. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and worms).
An IDS can be composed of several components: Sensors which generate security events, a Console to monitor events and alerts and control the sensors, and a central Engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received. There are several ways to categorize an IDS depending on the type and location of the sensors and the methodology used by the engine to generate alerts. In many simple IDS implementations all three components are combined in a single device or appliance.
IDS Terminology
Alert/Alarm- A signal suggesting a system has been or is being attacked [1].
True attack stimulus- An event that triggers an IDS to produce an alarm and react as though a real attack were in progress [1].
False attack stimulus- The event signaling an IDS to produce an alarm when no attack has taken place [1].
False (False Positive)- An alert or alarm that is triggered when no actual attack has taken place [1].
*False negative- A failure of an IDS to detect an actual attack.
*Noise- Data or interference that can trigger a false positive .
*Site policy- Guidelines within an organization that control the rules and configurations of an IDS .
*Site policy awareness- The ability an IDS has to dynamically change its rules and configurations in response to changing environmental activity .
*Confidence value- A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack .
*Alarm filtering- The process of categorizing attack alerts produced from an IDS in
order to distinguish false positives from actual attacks.
Types of Intrusion-Detection systems
There are three main types of systems in which IDS can be used : network, applications and hosts.
In a network-based intrusion-detection system (NIDS), the sensors are located at choke points in network to be monitored, often in the demilitarized zone (DMZ) or at network borders. The sensor captures all network traffic and analyzes the content of individual packets for malicious traffic.
In systems, PIDS and APIDS are used to monitor the transport and protocols for illegal or inappropriate traffic or constructs of a language. For example forged SQL queries attempting to delete database records, virus in emails.
In a host-based system, the sensor usually consists of a software agent, which monitors all activity of the host on which it is installed. For example attempt to modify the master boot record, keylogger, file access.
Hybrids for the two later systems also exist.
Network intrusion detection system (NIDS)
It is an independent platform which identifies intrusions by examining network traffic and monitors multiple hosts. Network Intrusion Detection Systems gain access to network traffic by connecting to a hub, network switch configured for port mirroring, or network tap. An example of a NIDS is Snort.
Protocol-based intrusion detection system (PIDS)
It consists of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication protocol between a connected device (a user/PC or system) and the server. For a web server this would typically monitor the HTTPS protocol stream and understand the HTTP protocol relative to the web server/system it is trying to protect. Where HTTPS is in use then this system would need to reside in the "shim", or interface, between where HTTPS is un-encrypted and immediately prior to its entering the Web presentation layer.
Application protocol-based intrusion detection system (APIDS)
It consists of a system or agent that would typically sit within a group of servers, monitoring and analyzing the communication on application specific protocols. For example, in a web server with a database this would monitor the SQL protocol specific to the middleware/business logic as it transacts with the database.
Host-based intrusion detection system (HIDS)
It consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability/acl databases) and other host activities and state. An example of a HIDS is OSSEC.
Hybrid intrusion detection system
It combines two or more approaches. Host agent data is combined with network information to form a comprehensive view of the network. An example of a Hybrid IDS is Prelude.
Intrusion detection systems can also be system-specific using custom tools and honeypots.
Posted by SeCuRiTy LiFe.. at 6:21 PM 0 comments
LEC 8:: FIREWALL
A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all (in and out) computer traffic between different security domains based upon a set of rules and other criteria.
Firewalls can be implemented in either hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
There are several types of firewall techniques:
1. Packet filter: Packet filtering inspects each packet passing through the network and accepts or rejects it based on user-defined rules. Although difficult to configure, it is fairly effective and mostly transparent to its users. In addition, it is susceptible to IP spoofing.
2. Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation.
3. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.
4. Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.
Function
A firewall is a dedicated appliance, or software running on a computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules.
It is a software or hardware that is normally placed between a protected network and an unprotected network and acts like a gate to protect assets to ensure that nothing private goes out and nothing malicious comes in.
A firewall's basic task is to regulate some of the flow of traffic between computer networks of different trust levels. Typical examples are the Internet which is a zone with no trust and an internal network which is a zone of higher trust. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a "perimeter network" or Demilitarized zone (DMZ).
A firewall's function within a network is similar to physical firewalls with fire doors in building construction. In the former case, it is used to prevent network intrusion to the private network. In the latter case, it is intended to contain and delay structural fire from spreading to adjacent structures.
Without proper configuration, a firewall can often become worthless. Standard security practices dictate a "default-deny" firewall ruleset, in which the only network connections which are allowed are the ones that have been explicitly allowed. Unfortunately, such a configuration requires detailed understanding of the network applications and endpoints required for the organization's day-to-day operation. Many businesses lack such understanding, and therefore implement a "default-allow" ruleset, in which all traffic is allowed unless it has been specifically blocked. This configuration makes inadvertent network connections and system compromise much more likely.
First generation - packet filters
The first paper published on firewall technology was in 1988, when engineers from Digital Equipment Corporation (DEC) developed filter systems known as packet filter firewalls. This fairly basic system was the first generation of what would become a highly evolved and technical internet security feature. At AT&T Bell Labs, Bill Cheswick and Steve Bellovin were continuing their research in packet filtering and developed a working model for their own company based upon their original first generation architecture.
Packet filters act by inspecting the "packets" which represent the basic unit of data transfer between computers on the Internet. If a packet matches the packet filter's set of rules, the packet filter will drop (silently discard) the packet, or reject it (discard it, and send "error responses" to the source).
This type of packet filtering pays no attention to whether a packet is part of an existing stream of traffic (it stores no information on connection "state"). Instead, it filters each packet based only on information contained in the packet itself (most commonly using a combination of the packet's source and destination address, its protocol, and, for TCP and UDP traffic, the port number).
TCP and UDP protocols comprise most communication over the Internet, and because TCP and UDP traffic by convention uses well known ports for particular types of traffic, a "stateless" packet filter can distinguish between, and thus control, those types of traffic (such as web browsing, remote printing, email transmission, file transfer), unless the machines on each side of the packet filter are both using the same non-standard ports.
Second generation - Application layer
The key benefit of application layer filtering is that it can "understand" certain applications and protocols (such as File Transfer Protocol, DNS, or web browsing), and it can detect whether an unwanted protocol is being sneaked through on a non-standard port or whether a protocol is being abused in any harmful way.
Third generation - "stateful" filters
From 1989-1990 three colleagues from AT&T Bell Laboratories, Dave Presetto, Janardan Sharma, and Kshitij Nigam developed the third generation of firewalls, calling them circuit level firewalls.
Third generation firewalls in addition regard placement of each individual packet within the packet series. This technology is generally referred to as a stateful packet inspection as it maintains records of all connections passing through the firewall and is able to determine whether a packet is either the start of a new connection, a part of an existing connection, or is an invalid packet. Though there is still a set of static rules in such a firewall, the state of a connection can in itself be one of the criteria which trigger specific rules.
This type of firewall can help prevent attacks which exploit existing connections, or certain Denial-of-service attacks.
::TYPES::
There are several classifications of firewalls depending on where the communication is taking place, where the communication is intercepted and the state that is being traced.
Network layer and packet filters
Network layer firewalls, also called packet filters, operate at a relatively low level of the TCP/IP protocol stack, not allowing packets to pass through the firewall unless they match the established rule set. The firewall administrator may define the rules; or default rules may apply. The term "packet filter" originated in the context of BSD operating systems.
Network layer firewalls generally fall into two sub-categories, stateful and stateless. Stateful firewalls maintain context about active sessions, and use that "state information" to speed packet processing. Any existing network connection can be described by several properties, including source and destination IP address, UDP or TCP ports, and the current stage of the connection's lifetime (including session initiation, handshaking, data transfer, or completion connection). If a packet does not match an existing connection, it will be evaluated according to the ruleset for new connections. If a packet matches an existing connection based on comparison with the firewall's state table, it will be allowed to pass without further processing.
Stateless firewalls require less memory, and can be faster for simple filters that require less time to filter than to look up a session. They may also be necessary for filtering stateless network protocols that have no concept of a session. However, they cannot make more complex decisions based on what stage communications between hosts have reached.
Modern firewalls can filter traffic based on many packet attributes like source IP address, source port, destination IP address or port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, of the source, and many other attributes.
Commonly used packet filters on various versions of Unix are ipf (various), ipfw (FreeBSD/Mac OS X), pf (OpenBSD, and all other BSDs), iptables/ipchains (Linux).
Application-layer
Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgment to the sender). In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines.
On inspecting all packets for improper content, firewalls can restrict or prevent outright the spread of networked computer worms and trojans. The additional inspection criteria can add extra latency to the forwarding of packets to their destination.
Proxies
A proxy device (running either on dedicated hardware or as software on a general-purpose machine) may act as a firewall by responding to input packets (connection requests, for example) in the manner of an application, whilst blocking other packets.
Proxies make tampering with an internal system from the external network more difficult and misuse of one internal system would not necessarily cause a security breach exploitable from outside the firewall (as long as the application proxy remains intact and properly configured). Conversely, intruders may hijack a publicly-reachable system and use it as a proxy for their own purposes; the proxy then masquerades as that system to other internal machines. While use of internal address spaces enhances security, crackers may still employ methods such as IP spoofing to attempt to pass packets to a target network.
Network address translation
Firewalls often have network address translation (NAT) functionality, and the hosts protected behind a firewall commonly have addresses in the "private address range", as defined in RFC 1918. Firewalls often have such functionality to hide the true address of protected hosts. Originally, the NAT function was developed to address the limited number of IPv4 routable addresses that could be used or assigned to companies or individuals as well as reduce both the amount and therefore cost of obtaining enough public addresses for every computer in an organization. Hiding the addresses of protected devices has become an increasingly important defense against network reconnaissance.
Posted by SeCuRiTy LiFe.. at 6:19 PM 0 comments
LEC 7:: WIRELESS SECURITY
Wireless LANs
IEEE ratified 802.11 in 1997.
-Also known as Wi-Fi.
Wireless LAN at 1 Mbps & 2 Mbps.
WECA (Wireless Ethernet Compatibility Alliance) promoted Interoperability.
-Now Wi-Fi Alliance
802.11 focuses on Layer 1 & Layer 2 of OSI model.
-Physical layer
-Data link layer
A wireless local area network (WLAN) links two or more devices using some wireless distribution method (typically spread-spectrum or OFDM radio), and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network.
Wireless LANs have become popular in the home due to ease of installation, and the increasing popularity of laptop computers. Public businesses such as coffee shops and malls have begun to offer wireless access to their customers; sometimes for free.
Types of wireless lan
::Peer to peet::
An ad-hoc network is a network where stations communicate only peer to peer (P2P). There is no base and no one gives permission to talk. This is accomplished using the Independent Basic Service Set (IBSS).
A peer-to-peer (P2P) network allows wireless devices to directly communicate with each other. Wireless devices within range of each other can discover and communicate directly without involving central access points. This method is typically used by two computers so that they can connect to each other to form a network.
If a signal strength meter is used in this situation, it may not read the strength accurately and can be misleading, because it registers the strength of the strongest signal, which may be the closest computer.
IEEE 802.11 define the physical layer (PHY) and MAC (Media Access Control) layers based on CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance). The 802.11 specification includes provisions designed to minimize collisions, because two mobile units may both be in range of a common access point, but out of range of each other.
The 802.11 has two basic modes of operation: Ad hoc mode enables peer-to-peer transmission between mobile units. Infrastructure mode in which mobile units communicate through an access point that serves as a bridge to a wired network infrastructure is the more common wireless LAN application the one being covered. Since wireless communication uses a more open medium for communication in comparison to wired LANs, the 802.11 designers also included shared-key encryption mechanisms: Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA, WPA2), to secure wireless computer networks.
::Bridge::
A bridge can be used to connect networks, typically of different types. A wireless Ethernet bridge allows the connection of devices on a wired Ethernet network to a wireless network. The bridge acts as the connection point to the Wireless LAN.
::Wireless distribution system::
A Wireless Distribution System is a system that enables the wireless interconnection of access points in an IEEE 802.11 network. It allows a wireless network to be expanded using multiple access points without the need for a wired backbone to link them, as is traditionally required. The notable advantage of WDS over other solutions is that it preserves the MAC addresses of client packets across links between access points.
An access point can be either a main, relay or remote base station. A main base station is typically connected to the wired Ethernet. A relay base station relays data between remote base stations, wireless clients or other relay stations to either a main or another relay base station. A remote base station accepts connections from wireless clients and passes them to relay or main stations. Connections between "clients" are made using MAC addresses rather than by specifying IP assignments.
All base stations in a Wireless Distribution System must be configured to use the same radio channel, and share WEP keys or WPA keys if they are used. They can be configured to different service set identifiers. WDS also requires that every base station be configured to forward to others in the system.
WDS may also be referred to as repeater mode because it appears to bridge and accept wireless clients at the same time (unlike traditional bridging). It should be noted, however, that throughput in this method is halved for all clients connected wirelessly.
When it is difficult to connect all of the access points in a network by wires, it is also possible to put up access points as repeaters.
WPA and WEP
WPA and WEP are technologies that "encrypt" the traffic on your network. That is, they scramble it so that an attacker can't make any sense of it. To unscramble it at the other end, all systems using it must know a "key" or password.
Note that WPA is now in a second generation, referred to as WPA2. Unless otherwise specified, this document uses "WPA" to refer to both.
WPA and WEP provide both access control and privacy. Privacy comes from the encryption. Access control comes from the fact that someone must know the password to use your network.
For this reason, for small networks, using WPA is enough to meet the requirements of the Wireless policy. However you will still want to make sure that any services that use a password or other private information use SSL or some other type of end to end encryption.
WEP is significantly less secure than WPA, but can be used until your equipment can be upgraded to support WPA. While WEP is widely regarded as insecure, it is still a lot better than nothing.
WPA has two modes, personal and enterprise. For small installations you'll want to use personal mode. It just requires a password. Enterprise mode is for larger installations, that have a Radius server that will support WPA.
The primary problem with WPA in personal mode is that it has a single password, which you must tell to all users. That becomes impractical for larger installations.
WPA in enterprise mode requires each user to login with their own username and password. That simplifies management in large installations, because you don't have to distribute a common password to all your users. However it is a bit more complex to implement:
* Each user's system must have special software to let the user login to the network. This software is referred to as an "802.1x supplicant".
* The access point must support WPA enterprise mode. The access point is configured to talk to a RADIUS server, which is a central server that actually checks the password.
* You must have a RADIUS server that supports WPA enterprise mode. While the RADIUS server may have its own list of usernames and passwords, it would be more common for it to talk to an LDAP or Active Directory server, so that users login to the network with the same password that they use for other services.
For this reason, most large implementations at Rutgers do not use enterprise mode. Instead they use separate gateway boxes for access control, and depend upon end to end encryption for privacy. One can argue that this is not as secure as WPA enterprise mode, but it avoids the support implications of requiring users to login to the network with an 802.1x supplicant.
Choosing a good password
It is critical to use a good password. There are attacks against WPA that will break your security if your password uses words or any other well-known sequences. WPA allows passwords as long as 63 characters. We strongly recommend using a long random password, or at the very least a long phrase (at least 20 characters, but preferably longer). The phrase should not be taken from any web site or published work. Most software saves the password, so you only need to type it once on each system.
Even better than a long phrase is a truly random password. For example, consider using http://rulink.rutgers.edu/random.php3. This generates a random 32-character hex string. You can combine two of them (and leave off one character) to get a 63-character password.
Posted by SeCuRiTy LiFe.. at 6:13 PM 0 comments
LEC 6:: SECURITY APPLICATION
Security in Email
#SMIME
S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of e-mail encapsulated in MIME.
S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFCs. S/MIME was originally developed by RSA Data Security Inc. The original specification used the recently developed IETF MIME specification with the de facto industry standard PKCS #7 secure message format.
S/MIME provides the following cryptographic security services for electronic messaging applications: authentication, message integrity and non-repudiation of origin (using digital signatures) and privacy and data security (using encryption). S/MIME specifies the application/pkcs7-mime (smime-type "enveloped-data") type for data enveloping (encrypting): the whole (prepared) MIME entity to be enveloped is encrypted and packed into an object which subsequently is inserted into an application/pkcs7-mime MIME entity.
S/MIME functionality is built into the vast majority of modern e-mail software and interoperates between them.
#PGP
Pretty Good Privacy (PGP) is a computer program that provides cryptographic privacy and authentication. PGP is often used for signing, encrypting and decrypting e-mails to increase the security of e-mail communications. It was originally created by Philip Zimmermann in 1991.
PGP and other similar products follow the OpenPGP standard (RFC 4880) for encrypting and decrypting data.
PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and, finally, public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a user name and/or an e-mail address. The first version of this system was generally known as a web of trust to contrast with the X.509 system which uses a hierarchical approach based on certificate authority and which was added to PGP implementations later. Current versions of PGP encryption include both options through an automated key management server.
-Compatibility-
As PGP evolves, PGP systems that support newer features and algorithms are able to create encrypted messages that older PGP systems cannot decrypt, even with a valid private key. Thus, it is essential that partners in PGP communication understand each other's PGP capabilities or at least agree on PGP settings.
-Digital signatures-
PGP supports message authentication and integrity checking. The latter is used to detect whether a message has been altered since it was completed (the message integrity property), and the former to determine whether it was actually sent by the person/entity claimed to be the sender (a digital signature). In PGP, these are used by default in conjunction with encryption, but can be applied to plaintext as well. The sender uses PGP to create a digital signature for the message with either the RSA or DSA signature algorithms. To do so, PGP computes a hash (also called a message digest) from the plaintext, and then creates the digital signature from that hash using the sender's private keys.
Security in Web
#SSL
What is SSL?
SSL is the ubiquitous security protocol used in almost 100% of secure Internet transactions. Essentially,SSL transforms a typical reliable transport protocol (such as TCP) into a secure communications channel suitable for conducting sensitive transactions.i The SSL protocol defines the methods by which a secure communications channel can be established—it does not indicate which cryptographic algorithms need to be used. SSL supports many different algorithms, and serves as a framework whereby cryptography can be used in a convenient and distributed manner.
Any application that needs to transmit data over an unsecured network such
as the Internet or a company intranet is a potential candidate for SSL. SSL provides security, and moreimportantly, peace of mind. When using SSL, you can be fairly sure that your data are safe from eavesdroppers and tampering.
SSL is relatively new to the embedded world because it has been too complex for traditional embeddedsystems microprocessors to handle. However, starting with Rev. A of the Rabbit 3000 microprocessor, hardware assistance has been added to speed up some of the more complex SSL cryptography operations, making SSL a viable solution in a market where standard (usually complex) security protocols have not traditionally been supported. The applications for embedded applications are as numerous as those for the PC world.
#SSH
Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices.[1] Used primarily on Linux and Unix based systems to access shell accounts, SSH was designed as a replacement for Telnet and other insecure remote shells, which send information, notably passwords, in plaintext, leaving them open for interception.[2] The encryption used by SSH provides confidentiality and integrity of data over an insecure network, such as the Internet.
SSH uses public-key cryptography to authenticate the remote computer and allow the remote computer to authenticate the user, if necessary.
SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding TCP ports and X11 connections; it can transfer files using the associated SFTP or SCP protocols.SSH uses the client-server model.
The standard TCP port 22 has been assigned for contacting SSH servers.
An SSH client program is typically used for establishing connections to an SSH daemon accepting remote connections. Both are commonly present on most modern operating systems, including Mac OS X, Linux, FreeBSD, Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.
#HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encryption and secure identification of the server. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems. HTTPS should not be confused with Secure HTTP (S-HTTP) specified in RFC 2660
#SFTP
SFTP, or secure FTP, is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network. It is functionally similar to FTP, but because it uses a different protocol, you can't use a standard FTP client to talk to an SFTP server,can connect to an FTP server with a client that supports only SFTP.
Posted by SeCuRiTy LiFe.. at 6:09 PM 0 comments
LEC 5:: Security in network
Definition
+A computing network is a computing environment with more than one independent processors
+May be multiple users per system
+Distance between computing systems is not considered (a communications media problem)
+Size of computing systems is not relevant
What is a Network can Provide?
~ Logical interface function
~ Sending messages
~ Receiving messages
~ Executing program
~ Obtaining status information
~ Obtaining status information on other network users and their status
Type of Network
One way to categorize the different types of computer network designs is by their scope or scale. For historical reasons, the networking industry refers to nearly every type of design as some kind of area network. Common examples of area network types are:
* LAN - Local Area Network
* WLAN - Wireless Local Area Network
* WAN - Wide Area Network
* MAN - Metropolitan Area Network
* SAN - Storage Area Network, System Area Network, Server Area Network, or sometimes Small Area Network
Who Couse Security Problem
Ò
Ò~Hacker
Ò~Spy
Ò~Student
Ò~Businessman
Ò~Ex-employee
Ò~Stockbroker
Ò~Terrorist
Network Security Control
Ò~Encryption
Ò~Strong Authentication
Ò~IPSec,VPN,SSH
Ò~Kerberos
Ò~Firewall
Ò~Intrusion Detection System (IDS)
Ò~Intrusion Prevention System (IPS)
Ò~Honeypot
Encryption
Encryption is the conversion of data into a form, called a ciphertext, that cannot be easily understood by unauthorized people. Decryption is the process of converting encrypted data back into its original form, so it can be understood.
Encryption is the most effective way to achieve data security . To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text; encrypt data is referred to as cipher text
Hacking And Preventation
Ò~motivated by thrill of access and status
É @hacking community a strong meritocracy
É @status is determined by level of competence
Ò~benign intruders might be tolerable
É @do consume resources and may slow performance
É @can’t know in advance whether benign or malign
Ò~IDS / IPS / VPNs can help counter
Ò~awareness led to establishment of CERTs
É @collect / disseminate vulnerability info / responses
Covering Track
Ò~Every activity is logged
~Syslog, accesslog, eventlog,
Intrusion Detection Systems
• classify intrusion detection systems (IDSs)
as:
• Host-based IDS: monitor single host activity
• Network-based IDS: monitor network traffic
• logical components:
• sensors - collect data
• analyzers - determine if intrusion has occurred
• user interface - manage / direct / view IDS
IDS Principles
• assume intruder behavior differs from
legitimate users
• expect overlap as shown
• observe deviations
from past history
• problems of:
• false positives
• false negatives
• must compromise
Honeyports
In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated, (un)protected, and monitored, and which seems to contain information or a resource of value to attackers.
A honeypot is valuable as a surveillance and early-warning tool. While it is often a computer, a honeypot can take other forms, such as files or data records, or even unused IP address space. A honeypot that masquerades as an open proxy to monitor and record those using the system is a sugarcane. Honeypots should have no production value, and hence should not see any legitimate traffic or activity. Whatever they capture can then be surmised as malicious or unauthorized. One practical implication of this is honeypots that thwart spam by masquerading as the type of systems abused by spammers.
Honeypots can be classified based on their deployment and based on their level of involvement. Based on the deployment, honeypots may be classified as
1. Production Honeypots
2. Research Honeypots
Posted by SeCuRiTy LiFe.. at 5:49 PM 0 comments
Sunday, October 4, 2009
LEC 4:: AUTHENTICATION & ACCES CONTROL
Authentication
*Password
*Biometric
Access control
*Matrix
*List
*Unix access control
-Verification of identity of someone who generated some data
-Relates to identity verification
-classifications of identity verification:
+by something known e.g. password
+by something possessed e.g. smart card, passport
+by physical characteristics (biometrics) e.g. finger prints, palm prints, retina, voice
+by a result of involuntary action : signature
Password
Protection of passwords
Don’t keep your password to anybody
Don’t write or login your password at everywhere
Etc.
Choosing a good password
Criteria:
-Hard to guess and easy to remember
Characteristics of a good password
-Not shorter than six characters
-Not patterns from the keyboard
Etc.
Calculations on password
*Password population, N =rs
*Probability of guessing a password = 1/N
*Probability of success, P=nt/N
Techniques for guessing passwords
*Try default passwords.8
*Try all short words, 1 to 3 characters long.
*Try all the words in an electronic dictionary(60,000).
*Collect information about the user’s hobbies, family names, birthday, etc.
*Try user’s phone number, social security number, street address, etc.
*Try all license plate numbers
*Use a Trojan horse
*Tap the line between a remote user and the host system.
What is Biometric?
*The term is derived from the Greek words bio (= life) and metric (= to measure)
*Biometrics is the measurement and statistical analysis of biological data
*In IT, biometrics refers to technologies for measuring and analysing human body characteristics for authentication purposes
*Definition by Biometrics Consortium – automatically recognising a person using distinguishing traits
Verification vs Identification
*Verification (one-to-one comparison) –confirms a claimed identity
-Claim identity using name, user id, …
*Identification (one-to-many comparison) – establishes the identity of a subject from a set of enrolled persons
-Employee of a company?
-Member of a club?
-Criminal in forensics database?
Static vs. dynamic biometric methods
*Static (also called physiological) biometric methods – authentication based on a feature that is always present
*Dynamic (also called behavioural) biometric methods – authentication based on a certain behaviour pattern
Classification of biometric methods
Static
Fingerprint recognition
Retinal scan
Iris scan
Hand geometry
Dynamic
Signature recognition
Speaker recognition
Keystroke dynamics
Biometric system model
Posted by SeCuRiTy LiFe.. at 8:09 AM 0 comments