Chapter 10

Security On The Internet

Agenda

• Security

• Cryptography

• Privacy on Internet

• Virus & Worm

• Client-based Security

• Server-based Security

Security

• Security and trust requirements

• Threats on the Internet

• Sources of the threats

• Security policy

Security and Trust Requirements

• Confidentiality

• Integrity

• Availability

• Legitimate use

• Non-repudiation

Threats on the Internet

• Loss of data integrity

• Loss of data privacy

• Loss of service

• Loss of control

Sources of the Threats

• Hackers

• Cyber terrorists

• Employee error

• Missing procedures

• Wrongly configured software

Hackers

• Monitoring the communication– Private information & password

• Steal hardware & software– Smart card or database

• Intercept the output of a monitor screen• Overloading the service• Trojan horses – virus• Masquerading (IP address spoofing)• Dustbin

Hackers

• Bribe employee• Information of internal network or internal DNS

structure• Social Engineering

– Exploiting habits of employee– Pretending an employee – Organization chart– Phone book– Information gathering and social pressure

Hackers

• Counter measurements– Firewall– Two-factor authentication (know and have)– Audit log file– Digital certificate (user or server)– Message encryption

Cyber Terrorists

• Definition– Use computer resources to intimidate others

• Methods– Virus attack– Alteration of information– Cutting off Communication– Killing from a Distance– Spreading misinformation

Cyber Terrorists

• Counter measurements– Commission of Critical Infrastructure

Protection– Disconnect mission critical systems from public

network– Firewall to monitor communication– The eternity service concept (duplication and

encryption)

Security Policy

• List of resources needed to be protected

• Catalogue the threats for every resource

• A risk analysis (cost and benefit)

• Centralized authorization– Physical access control (policy & procedure)– Logical access control (policy & procedure)

• Test, review and update

Agenda

• Security

• Cryptography

• Privacy on Internet

• Virus & Worm

• Client-based Security

• Server-based Security

Cryptography

• Secret key

• Public key

• Steganography

• Applications

Secret Key

• Symmetric cryptography

• A single key for encryption and decryption

• Use different medium for key and message

• Fast encryption and decryption

• Types– Stream ciphers: bit level– Block ciphers: pre-defined length into a block

Public Key

• Asymmetric key cryptography• SRA algorithm: two distinct keys (private

and public) for every users• Public key decrypt messages encrypted with

private key• Long time to encrypt and decrypt message• RSA to encrypt the symmetric key which

encrypted the message

Public Key

• Usages– Communication between web server and web

browsers for create session key– E-mail uses different public key for different

recipients

Steganogrphy

• Hide information in the ordinary noise and digital systems of sounds and images

• Low quality of free software

• Higher quality for commercial software

• Law requirements for encryption and decryption

Applications

• Enforce privacy– Storing the hash value of password

• Encrypting e-mail– Pretty Good Privacy (PGP): unbreakable– Secure Multipurpose Internet Mail Extensions

(S/MIME): ease to set up with less security– Separate the use of strong symmetric encryption

algorithms and e-mail software– WinZip: for e-mail read by multiple person and

password over the phone

Applications

• Digital Signatures– Digital hash or digital code for each message– Encrypt the digital code with private key– Decrypt the digital code with public key– Digital time stamp (time and date) encrypted

with private key by third party

Agenda

• Security

• Cryptography

• Privacy on Internet

• Virus & Worm

• Client-based Security

• Server-based Security

Privacy on Internet

• Footprints on the Net

• TRUSTe

• The platform for privacy preferences

• Anonymity

Footprints on the Net

• Request a web site– The name of the browser– The operating systems– Preferred language– The last visited web site– IP address and domain name– The client location– The screen resolution and number of colors

Footprints on the Net

• Cookies– The password to open a site– A user name– An e-mail address– Purchasing information

TRUSTe

• An independent, non-profit privacy organization issues online seal called “trustmark”

• To certify an online business is trustworthy, safe and allow checking the privacy practice by a third- party

• Hard to understanding the privacy information by end user

The Platform for Privacy preferences

• Platform for Privacy Preference Project (P3P) by W3C

• Define a way for web site to inform the users of privacy practice before the first page

Anonymity

• Anonymous remailers to replace the header of original e-mail with remailer’s

• Anonymizer

Agenda

• Security

• Cryptography

• Privacy on Internet

• Virus & Worm

• Client-based Security

• Server-based Security

Virus

• Types of viruses

• Virus damage

• Virus strategy

Types of viruses

• Boot sector virus

• Executable virus

• Macro virus

• Hoax viruses and chain letter

Virus Damage

• Annoying

• Harmless

• Harmful

• Destructive

Virus Strategy

• Firewall• Anti-virus program

– Scanner– Shield– Cleaner

• Backup strategy• Education of employee with a frequently

asked questions (FAQ) page

Agenda

• Security

• Cryptography

• Privacy on Internet

• Virus & Worm

• Client-based Security

• Server-based Security

Client-based Security

• Digital certificates

• Smart card

• Biometric identification

Digital Certificates

• Personal information (name and address) file encrypted and password-protected with public key and certification authority (name and validity period)

• Types– Browser and server: SSL encryption– Customer and merchant: SET encryption– Two e-mail partners: S/MIME

Smart Cards• Uses electronically erasable programmable red

only memory (EEPROM)• Types

– Contact cards– Contactless cards– Combi cards

• Information Access– Read only– Add only– Modify or delete– Execution only

Biometric Identification

• Physical characteristics or behavioral traits

• Issues– Acceptance– Accuracy– Cost– Privacy

Agenda

• Security

• Cryptography

• Privacy on Internet

• Virus & Worm

• Client-based Security

• Server-based Security

Server-based Security

• Isolation of web server• Application Proxies• Multi-layered firewall• A trusted operating systems (TOS)• Backup• Least privilege• Balance of power• A good audit system

Trusted Operating Systems

• Types– Virtual Vault by Hewlett Packard– Trusted Solaris by Sun

• Features– Firewall– Intranet– Internet– Distributed system: data and program– Least privilege– Peak usage management– Multi level security– Audit system

Audit System

• Adaptable

• Automated

• Configurable

• Dynamic

• Flexible

• Manageable

• System-wide

Points to Remeber

• Security

• Cryptography

• Privacy on Internet

• Virus & Worm

• Client-based Security

• Server-based Security