Post on 21-Dec-2015
transcript
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Network Security
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Outline
• Authentication
– Passwords– Biometrics
• Network protection– Firewalls, proxy servers– Denial of service attacks– Viruses
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
““10591059””
Methods of User Authentication• Something you know . . .
– Password, PIN, “mother’s maiden name”
• Something you have . . .
– Physical key, token, magnetic card, smartcard
• Something you are . . .
– Finger print, voice, retina, iris
• Someplace you are– GPS information
• Best to use two or more of the above,called two-factor authentication
SOURCE: SECURITY DYNAMICS
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Time-based Token Authentication
Login: mcollingsPasscode: 2468234836
PIN TOKENCODE
Token code: Changes every
60 seconds
Unique seed
Clock synchronized to UCT(UNIVERSAL COORDINATED TIME)
PASSCODE = +PIN TOKENCODE
SOURCE: RSA
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Biometrics
• Use of an unalterable body part or feature to provide identification
• History– For 1,000,000 years we couldn’t identify people– France used tattoos; abolished in 1832– Uniqueness of fingerprints 1890
• Verification v. identification• Weaknesses:
– Forgery– Replay attack
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Fingerprints
SOURCE: C3i
MAIN SHAPES:
LOOPWHORLARCH
MINUTIAE:
END BIFURCATION ISLAND LAKE DOT
EACH PERSON HAS A UNIQUEARRANGEMENT OF MINUTIAE:
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Fingerprint CaptureThompson-CSF FingerChip
(Thermal-sensed swipe)DEMO1, DEMO2
ST-Micro TOUCHCHIP(Capacitative)
American Biometric CompanyBioMouse (Optical) Biometric Partners
Touchless Sensor
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Fingerprint Capture
BIOMETRIC ACCESS CORPORATION
DIGITAL PERSONA
VERITOUCH MULTI-FINGERSCANNER
NOVUS HAND GEOMETRY SYSTEM
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Two-Factor Authentication Token
From Authentication © 2002. Used by permissionFingerprint “unlocks” the authenticationtoken, e.g. a digital certificate
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Iris Scan
SOURCE: IRISCAN
• Human iris patterns encode ~3.4 bits per sq. mm
• Can be stored in 512 bytes
• Patterns do not change after 1 year of life
• Patterns of identical twins are uncorrelated
• Chance of duplication < 1 in 1078
• Identification speed: 2 sec. per 100,000 people
PERSONAL IRIS IMAGER
Companies: British Telecom, Iriscan, Sensar
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Signature Dynamics
• Examines formation of signature, not final appearance
• DSV (Dynamic signature verification)
• Parameters• Total time
• Sign changes in x-y velocities
and accelerations
• Pen-up time
• Total path length
• Sampling 100 times/second
Companies: CyberSIgn, Quintet,PenOp, SoftPro SignPlus,
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Web/Network Security
• Client Side– What can the server do to the client?
• Fool it• Install or run unauthorized software, inspect/alter files
• Server Side– What can the client do to the server?
• Bring it down (denial of service)• Gain access (break-in)
• Network– Is anyone listening? (Sniffing)– Is the information genuine? Are the parties genuine?
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Packet Sniffer
Client
Packet Sniffing
Server
NETWORK INTERFACE CARDALLOWS ONLY PACKETS
FOR THIS MAC ADDRESS
EVERY NETWORK INTERFACE CARD HAS A UNIQUE 48-BIT MEDIA ACCESS CONTROL (MAC) ADDRESS, e.g. 00:0D:84:F6:3A:10
24 BITS ASSIGNED BY IEEE; 24 BY CARD VENDOR
PACKET SNIFFER SETS HIS CARDTO PROMISCUOUS MODE TO
ALLOW ALL PACKETS THROUGH
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Network Security Problem
SOURCE: CERT
REMOVABLEMEDIA
USER
MODEM +TELEPHONE
LOCAL AREANETWORK
REMOTELOCATION
INTERNETCONNECTION
“BACKDOOR”INTERNET
CONNECTION
ISP
REMOTEUSER
VENDORS ANDSUBCONTRACTORS
RADIOEMISSIONS
WIRELESS
USER
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Sophistication v. Intruder Knowledge
SOURCE: CERT
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Firewall
• A device placed between two networks or machines– All traffic in and out must pass through the firewall– Only authorized traffic is allowed to pass– The firewall itself is immune to penetration
Internet
FirewallCompany Network
SOURCE: ADAM COLDWELL
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Firewall Architecture
SOURCE: CHAPMAN, BUILDING INTERNET FIREWALLS
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Firewall Architecture
Intranet
DMZ
Internet
Firew
all
Firew
all
WEBSERVER
EMAILSERVER
PROXYSERVER
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Proxy Server
SOURCE: CHAPMAN, BUILDING INTERNET FIREWALLS
• “DUAL-HOMED” MEANS HAS TWO IP ADDRESSES• DOES NOT FORWARD IP PACKETS
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Enterprise Access Security
Web Server
Firewall
Authentication Server
RAS
Intranet
Mainframe
Enterprise
UNIXRSA Agent
Remote Access
InternetRSA
Agent
Internet Access
RSA Agent
Enterprise Access
RSA Agents
SOURCE: RSA
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Denial-of-Service Attacks
• Attack to disable a machine (server) by making it unable to respond to requests
• Use up resources– Bandwidth, swap space, RAM, hard disk
• Some attacks yield millions of service requests per second
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Ping Flooding
Victim System
Attacking System(s)
Internet
SOURCE: PETER SHIPLEY
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Three-Way Handshake
ClientServer
SYNSYN | ACK
ACK
1: Send SYN seq=x
2: Send SYN seq=y, ACK x+1
3: Send ACK y+1SOURCE: PETER SHIPLEY
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
SMURF ATTACK
INTERNET
PERPETRATORVICTIM
ICMP echo (spoofed source address of victim) Sent to IP broadcast address
ICMP echo reply
SOURCE: CISCO
ICMP = Internet Control Message Protocol
INNOCENTREFLECTOR SITES
BANDWIDTH MULTIPLICATION:A T1 (1.54 Mbps) can easilyyield 100 MBbps of attack
1 SYN
10,000 SYN/ACKs -- VICTIM IS DEAD
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Distributed Denial of Service Attack
SOURCE: CERT
VICTIM
INTRUDER
INTRUDER SENDSCOMMANDS TO
HANDLERS
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
DDOS Attack
SOURCE: CERT
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
DDOS Attack
SOURCE: CERT
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Rate Limiting
• Allows network managers to set bandwidth limits for users and by traffic type.
• Prevents deliberate or accidental flooding of the network
Rate Limiting for Different
Classes ofUsers
NetworkManager
Teachers
Students
2 Mbps
10 Mbps
50 Mbps
SOURCE: CISCO
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Code Attacks
• Virus– executable code– that attaches itself to other executable code
(infection)– to reproduce itself (spread) replicator + concealer + payload
• Rabbit, Worm– program that makes many copies of itself and spreads them.
Each copy makes copies, etc. Worm spreads via networks.
• Trojan Horse– performs unauthorized activity while pretending to be
another program. Example: fake login program
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Viral Phenomena
• Invented ~1985• More than 70,000 known viruses
– More than in nature
• 10-15 new viruses per day• 35% are destructive (up from 10% in 1993)
• Virus attacks per computer doubles every two years• Written mostly by men 14-24
– India, New Zealand, Australia, U.S.
• Symantec employs 45 people full-time, spread over 24 hours, to detect and neutralize viruses
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Exploiting System Bugs
• Buffer overflows– Program allocates 255 bytes for input.
– Hacker sends 500 bytes.
BUFFER (255 BYTES) PROGRAM CODE
245 BYTES ARE OVERWRITTEN WITH HACKER’S DATANOW HACKER’S CODE CAN BE EXECUTED
INPUT IS 500 BYTES LONG
BUFFER (255 BYTES) PROGRAM CODE
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Viral Phenomena
• Stealth capability– Virus “hides” from detection. Installs memory-resident code.
– Intercepts file accesses. If attempt is made to access its disk sector, substitutes “clean” data instead.
• Mutation
– Accidental. Virus gets changed (corrupted) by system
– Deliberate. Creator inserts program modification code.“Self-garbling” - unscrambles itself before use
– Result: virus becomes hard to detect
• Virus toolkits
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Virus Detection
• Some virus families have common characteristics– Presence or absence of particular strings
• Antiviral software– Only detects what it know how to detect.– Must be upgraded regularly for new viruses.– Symantec encyclopedia
• File virus– Compare size with known backup copy.– Presence of strings, like “.EXE”
• Retrovirus– Attacks or disables antivirus software
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Network Attacks
SOURCE: CERT
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
Key Takeaways
• Evaluate all risks, even internal ones• People do bizarre things when they think no one will
find out • Security is for professionals• Unexplored future in biometrics• Proxies give only thin protection• There is no current defense to DOS attacks• There is no defense to new viruses
(except Java for a while)
20-751 ECOMMERCE TECHNOLOGY
SPRING 2003 COPYRIGHT © 2003
MICHAEL I. SHAMOS
QA&