Copyright 2000 Randy Smith and the Darden School DO NOT ... · trusted third parties and provide...

Copyright 2000 Randy Smith and the Darden School

DO NOT DISTRIBUTE

1

DO NOT DISTRIBUTE

Tech Two – Security Threats and Countermeasures

• Threats• Firewall and Proxy Servers• Encryption• Dell Example• Assurance • Privacy

Should Dell Worry ? So we killed a few people, big deal


DO NOT DISTRIBUTE

2

DO NOT DISTRIBUTE

Should Dell Worry ? Spiceworld go BOOM !

Should Dell Worry ? Starvin’ 4 Kevin


DO NOT DISTRIBUTE

3

DO NOT DISTRIBUTE

Source: InformationWeek, July 12, 1999

Internet Security Threats

• Viruses– Recently:

– Melissa– Worm– LoveBug– GAZ Trojan

– Gain access to systems through email and infected documents


DO NOT DISTRIBUTE

4

DO NOT DISTRIBUTE


• Problem: Impersonation– Hacker tries to masquerade as E-Business partner

• Solution: Need to authenticate the E-Business partner with digital certificates

Hacker

Dell

?


• Problem: Interception and modification of packets • Solution:

– Confidentiality - insure that that intercepted packets are not in readable form by using encryption

– Integrity – insure detection of modified packets by using digital signatures Dell

Hacker


DO NOT DISTRIBUTE

5

DO NOT DISTRIBUTE


• Problem: Denial of Service (DOS) Attacks – Flood servers with millions of messages– Send a malformed packet designed to crash the server

• Solution : Firewalls with packet filtering

History of DOS Attacks

Sept ’96 ISP Panix - 1000 Corporate Sites Down

Oct ’96 Vendors Revise Software to Plug

Nov ’99 CMU’s Computer Emergency Response Team (CERT) Warns of Planted DOS Tools

Feb 7 & 8, 2000 Massive Distributed Attacks on Yahoo, Buy.com, ebay, Amazon, CNN and e*Trade


DO NOT DISTRIBUTE

6

DO NOT DISTRIBUTE

Distributed SYN Attacks

Slave Servers

Master Server

TCP “Syn Requests”

TCP “Syn ACKS”

Distributed “Ping”Attacks

Slave Servers

Master Server

Bounce Sites

PING Requests

Ping Responses


DO NOT DISTRIBUTE

7

DO NOT DISTRIBUTE

Known Denial of Service (DOS) Tools

• Publicly available attack tools– Trin 00 and Tribal Flood Network - discovered Nov ’99– TFN2K , a NT version that encrypts its packets, Feb ‘00– Stachel-draht – German for barbed wire, Feb ’00

• Previous DOS tools directed attacks from one server• New versions use a master server to control large number

of slave servers that carry out the attack.• The slave servers owners’ systems have been seeded with

the attack software without their knowledge

Firewalls

• Defends the access point to the corporate intranet from the Internet– Attempts to stop unauthorized access from the Internet– May limit internal users’ access to certain Internet sites

YesFirewall

Control Access byPassword Authentication

No

bb


DO NOT DISTRIBUTE

8

DO NOT DISTRIBUTE

Authentication

• Smart Cards – RSA SecurID, ActivCard, GemPlus• RF Token Devices - RSA SecurID Key Fob• Biometric Devices

– Fingerprint Scanners – Digital Personna, U.are U.– Iris/Retina Scanners – IriScan, Eyedentify – Face Geometry Recognition – BioNetrix– Voice Recognition – VeriVoice– Signature Verification – Cyber-Sign

IP Firewalls

• Attempts to control access to internal network by checking the IP addresses of in-bound packets

• Allows only packets with addresses of approved hosts to pass through

• Can be defeated by “spoofing”– Discovering an acceptable source IP address and placing in the

packets IPFirewall

IP Packets

Yes

No


DO NOT DISTRIBUTE

9

DO NOT DISTRIBUTE

Proxy Servers

Used to hide internal internet addresses– Receives HTTP request from internal user– Replaces internal user’s internet address with a false IP

address and forwards on to specified host– Replaces false IP address and with internal user’s IP

address forwards on to the internal userHTTP

RequestRequest with

False IP Address

Response to False IP Address

HTTPResponse

Proxy Servers

Serve as intermediaries between outside users and internal systems– Outside user sends an request to access an intranet

system– Proxy server forwards request to application server– Proxy server receives response and sends to outside

user

Outside Request

Application Server

Response


DO NOT DISTRIBUTE

10

DO NOT DISTRIBUTE

Encryption

• Encryption: Change message so that it cannot be understood even if intercepted– Plaintext – original message– Ciphertext – scrambled message used for transmission– Encryption and Decryption Method and Key

Plaintext Ciphertext Plaintext

CITI BHSH CITI

MethodKey

MethodKey

Transmitted

Encryption Decryption

Encryption

• Encryption Method and Key– Method’s algorithm: Add N letters– Key has a specific value: N = -1 – Method is publicly available– Key must be secretly held


CITI BHSH CITI

MethodKey

Transmitted

Encryption

MethodKey

Decryption


DO NOT DISTRIBUTE

11

DO NOT DISTRIBUTE

Encryption: Key Length

• Data Encryption Standard (DES) – Developed by US government 1977 - 56 bit Key

• Brute force attacks attempt to discover key by exhaustive search– Try all combinations

• Electronic Frontier Foundation – Built a 1,500 chip PC for $220,000– Was able to break DES

– 56 bit message in 56 hours– 64 bit message 34 days– But would take years for 128 bits

Single Key Encryption

• Data Encryption Standard - DES • Weaknesses:

– Need to distribute and keep key secret– All business partners need a different key

• Strength – Operates at high speed

Key A

Key BB


DO NOT DISTRIBUTE

12

DO NOT DISTRIBUTE

Public Key Encryption Methods

• Different keys for encryption and decryption– Sender encrypts with receiver’s public key– Decryption with receiver’s private key– Only receiver can decrypt the encrypted message


CITI CITI

Public Key Private Key

100101

DecryptionEncryption

Public Key Encryption

• Business partners have public and private key sets– Maintain secrecy of private key – key owner is the only

entity in the universe with access to this particular key– Freely distribute public key to everyone

PublicKey

PublicKey

PrivateKey


DO NOT DISTRIBUTE

13

DO NOT DISTRIBUTE

Combining Public & Single Key

• Takes advantage of the strengths of both methods– A creates a single session key– Encrypt the session key with B’s Public Key– B decrypts the session key with its private key– Use the session key to encrypt messages sent in both

directions

Single Keyfor Session

Encryption with B’s Public KeyA B

Example

Advantages

Disadvantages

Secret Key System Public-key Cryptography Digital Envelope

DES

• Fast• Secure*

• Difficulty to distribute keys securely

• Administratively complex: each party needs a separate set of keys

*As long as you change keys frequently. Absolute security with one-time keys and keys longer than the message.

RSA

• Robust**• Reach: anyone can

communicate with you securely

• Only you have the private key

• Slow

**Very difficult to invert.

Combination

• Fast• Secure• Reach


DO NOT DISTRIBUTE

14

DO NOT DISTRIBUTE

Key to Public-Key Encryption

• Based on “hard” mathematics• Very difficult to factor the product of two large

prime numbers• 3?7 = 21 is simple• ? ?? = 35 is simple• ? ?? = 873,652,880,631,…

Public Key Infrastructure (PKI)

• PKI is implemented by the companies that serve as trusted third parties and provide cryptography services– Certificate Authorities (CA) – The third parties that hold, distribute

and authenticate public keys – Certificates – Contain a company’s public key and other information

necessary to engage in secure E-Commerce with that company– Certificate Revocation Lists (CRL) – List of certificates that are no

longer valid – Providers

– Verisign (RSA spin -off) – CyberTrust (GTE)

– Digital Signatures - Sender can sign the document with their private key and receiver can verify both the identity of the sender and the integrity of the message using the sender’s public key


DO NOT DISTRIBUTE

15

DO NOT DISTRIBUTE

Buying a Dell Online

• Secure Socket Layer - SSL• Secure HTTP - HTTPS

Request for Account #

and Password

Dell’sWebserver

Dell’sDatabase Server

SSL in Browser

Secure HTTP

Login Form &Dell’s Digital

Certificate


Web Server sends account login form and digital certificate to customer

YOUR PC with Browser

Dell’sWebserver

Dell’sDatabase Host


DO NOT DISTRIBUTE

16

DO NOT DISTRIBUTE


• Customer’s browser verifies Dell’s Certificate and public key


Dell’sWebserver


Certificate Authority’sWebserver


• Customer’s browser – uses SSL to generate a single key for this session– encrypts session key with Dell’s public key– sends encrypted session key to Dell

Dell’sWebserver



Session

Key


DO NOT DISTRIBUTE

17

DO NOT DISTRIBUTE


• Dell’s Web server uses the Dell private key to unlock the session key sent from customer

Dell’sWebserver



Session

Key

Unlock session key with Dell’s private key


• Customer inputs account number and password information

• Browser encrypts customer information with session key

Dell’s Webserver Dell’sDatabase Host



DO NOT DISTRIBUTE

18

DO NOT DISTRIBUTE


• Customer browser sends the encrypted customer information to Dell’s Secure Server

Browser Using SSL

Dell’sWebserver


Encrypted Customer

Information


• Dell’s Web server uses the session key to decrypt the customer information

• Customer information sent to back-end database server for further processing.

C/SDatabase

Account #

Dell’sWebserver




DO NOT DISTRIBUTE

19

DO NOT DISTRIBUTE

Digital Signature

Message Digest

Document Document

17

Consumer Private Key

Digital Certificate/Public Key

Message Digest

17 17 = 17

Consumer Public Key

Virtual Private Networks - VPN

Access Point

Firewall Dropped Packets

DNS Server

Competitor

Foreign Government

Router

POPPOPMessageMessage POPPOP

“Bit Bucket”

SWTCHSWTCH

Eunet

UUNET

WorldCOM

NetCOM

Sprint

DNS Directory

DNS Directory

SWTCHSWTCH MessageMessage

Hackers Cannot Read Packets

Firewall

Message Encrypted Entire Route

Router

VPN VPN


DO NOT DISTRIBUTE

20

DO NOT DISTRIBUTE

Privacy Statement - DoubleClick

What it says: "Abacus Online will maintain a database consisting of personally identifiable information about those Internet users who have received notice that their personal information will be used for online marketing purposes and associated with information about them available from other sources, and who have been offered the choice not to receive these tailored messages."

Source: Industry Standard March 13, 2000


What a privacy expert says it means: "We have agreements with some popular Web sites under which they give to us information such as your name, address and e-mail address for inclusion in our database. We tie this information to a unique identifier that we've set on your computer and use it to track you and your activities at various other Web sites that we have contracts with. All this information is fed back into a profile we've created about you."

- Deirdre Mulligan, privacy counsel, Center for Democracy and Technology



DO NOT DISTRIBUTE

21

DO NOT DISTRIBUTE


What the company says it means: "DoubleClick's policy is to only match online and offline information after consumers have been given notice that we're going to do it and the choice to opt out."

- Josh Isay, public policy director, DoubleClick


Privacy Statement -iVillage

What it says: "You agree that iVillage may assign, sell, licenseor otherwise transfer to a third party your name, address, e-mail address, member name and any other personal information in connection with an assignment, sale, joint venture or other transfer or disposition of a portion or all of the assets or stock of iVillage or its affiliated entities."



DO NOT DISTRIBUTE

22

DO NOT DISTRIBUTE


What a privacy expert says it means: "I hope this site is offering unusually valuable content, because users are likely topay a high price in personal privacy when they visit the site. What will the ultimate recipient of the personal information do with it? There's no way to predict that."

- David Sobel, general counsel, Electronic Privacy Information Center



What the company says it means: "We do not share personally identifiable information without our members' informed consent. ... We are looking proactively at ways to improve this key commitment to our members, including working with ... industry organizations dedicated to establishing best-of-breed privacy policies."

- Jason Stell, spokesman, iVillage



DO NOT DISTRIBUTE

23

DO NOT DISTRIBUTE

Privacy Statement -Microsoft

What it says: "Every registered customer has a unique personal profile. ... When you register, we create your profile, assign apersonal identification number, then send this personal identification number back to your hard drive in the form of a cookie, which is a very small bit of code. ... Even if you switch computers, you won't have to reregister – just use your e-mail address and password to identify yourself."



What a privacy expert says it means: "Unique ID numbers destroy online anonymity. This was the reason why the Intel Pentium III, with its Processor Serial Number, was so controversial. Most users do not want their identities to be captured or to have 'unique personal profiles' created.”

– David Sobel



DO NOT DISTRIBUTE

24

DO NOT DISTRIBUTE


What the company says it means: "The convenience of having that ID in the cookie is that any personalization of the Microsoft.com site is available to anyone by coming to the site.No individual information is stored in the cookie or exposed on the site except to the person who submits the e-mail address and password."

- Richard Purcell, privacy director, Microsoft


Privacy Statement -Barnesandnoble.com

What it says: "We do work with certain companies who, in conjunction with their own membership programs or rewards programs, require that we disclose purchasing information about their customers who visit the Barnesandnoble.com site through links from the partner sites. ... If you do not want us to disclose that information to the strategic partner, then you mus t contact them directly."



DO NOT DISTRIBUTE

25

DO NOT DISTRIBUTE


What a privacy expert says it means: "These companies get a cut of the money spent by the people they send here. ... They require us to give them your name and e-mail address too but they should have notified you and gotten your permission to do so. We don't have a lot of leverage to make them change this policy, so if you want to complain, you should complain to them."

- Deirdre Mulligan



What the company says it means: "The information thatBarnesandnoble.com provides is limited to the identifier of the customer and the total amount of the purchase – never sharing the specifics of the purchase. ... In such cases, through their membership in such sites, the customers have consented to the information being shared in order for rebates to be paid."

- Carl Rosendorf, senior VP, Barnesandnoble.com



DO NOT DISTRIBUTE

26

DO NOT DISTRIBUTE

Wallet Companies

• Dash.com• Gator.com• Brodia.com• CyberCash – Instabuy• EntryPoint

Date post:	12-Aug-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Copyright 2000 Randy Smith and the Darden School DO NOT ... · trusted third parties and provide...

Documents