Slide1 l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 20

Quiz-2 Review ECE-6612 csc.gatech / copeland / jac /6612/ Prof. John A. Copeland [email protected] 404 894-5177 fax 404 894-0035 PowerPoint PPT Presentation


  • 216 Views
  • Uploaded on
  • Presentation posted in: General

Quiz-2 Review ECE-6612 http:// www.csc.gatech.edu / copeland / jac /6612/ Prof. John A. Copeland [email protected] 404 894-5177 fax 404 894-0035 Office: Klaus 3362 email or call for office visit, or call 404 894-5177 2013. Quiz-2 Topic Areas. Quiz-2 Topic Areas.

Download Presentation

Quiz-2 Review ECE-6612 csc.gatech / copeland / jac /6612/ Prof. John A. Copeland [email protected] 404 894-5177 fax 404 894-0035

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Slide1 l.jpg

Quiz-2 Review

ECE-6612

http://www.csc.gatech.edu/copeland/jac/6612/

Prof. John A. Copeland

[email protected]

404 894-5177

fax 404 894-0035

Office: Klaus 3362

email or call for office visit, or call 404 894-5177

2013


Slide2 l.jpg

Quiz-2 Topic Areas

Quiz-2 Topic Areas

Email Security - PGP, S/MIME

IP Security - IPsec (AH, ESP modes, VPN)

Web Security - Secure Socket Layers (SSL, TLS)

- Certificates, CA’s, Hashes (MD5)

Intruders (and other Malicious Users) - Protection

DNS - cache poisoning (Birthday Attack used)

IDS - (Base-Rate Fallacy, False-Positive Rate)

Viruses - Worms, Trojan Horses, Logic Bombs, ...

We did not do slides 9c, but we have discussed:

BotNets, DDos, SPAM, Phishing

2


Slide3 l.jpg

Email Privacy

Establishing Keys

Public Key Certification

Exchange Public Keys

Multiple Recipients

Encrypt message m with session key, S

Encrypt S with each recipient's key

Send: {S; Kbob}, {S; Kann}, ... , {m; S}

Authentication of Source (digital signatures)

Hash (MD5, SHA2) of message, encrypted with signer's private key. Check by decrypting with signer's public key, and compare to new hash.

3


Slide4 l.jpg

Digital Signature

4

From "PGP Freeware for MacOS, User's Guide" Version 6.5, Network Associates, Inc., www.pgp.com


Slide5 l.jpg

PGP Email Receiver

Typed Passphrase

Your Private Key Ring

Public Key Ring

H - Hash

DC - Symmetric

Decryption

DP - Pub./Priv.

Decryption

Receiver’s

Private Key

Sender’s

Public Key

Session Key

Check Signature

Message

ZIP Decompress

R64 Decode to binary

p.144-145 ed.3

5


Slide6 l.jpg

R64 Encode: Every 3 bytes split into 4 6-bit numbers

011001001011010101101010

n = 0 to 63

*

01011001 01001011 01010101 01101010

printable characters a-z A-Z 0-9 + /

in a received message, “=“, “>”, CR, LF, ... are ignored

* for most 6-bit inputs, R64(n) just adds 64 (puts an “01” in front)

6


Slide7 l.jpg

Simple Mail Transfer Protocol (SMTP, RFC 822)

SMTP Limitations - Can not transmit, or has a problem with:

• executable files, or other binary files (jpeg image).

• “national language” characters (non-ASCII)

• messages over a certain size

• ASCII to EBCDIC (or other character set) translation problems

• lines longer than a certain length (72 to 254 characters)

MIME Defined Five New Headers

• MIME-Version. Must be “1.0” -> RFC 2045, RFC 2046

• Content-Type. More types being added by developers (application/word)

• Content-Transfer-Encoding. How message has been encoded (radix-64)

• Content-ID. Unique identifying character string.

• Content Description. Needed when content is not readable text (e.g.,mpeg)

Canonical Form: Standard format for use between systems ( not a “native” format - GIF).


Slide8 l.jpg

Investigating Email You Receive

Look at “Raw” or “Source” Message to see:

Headers (from? -“Received:” headers (IP, time zone)

HTML Links (where they will take you)

Investigate

Source (who sent it) -

Lowest "Received:” header

Active Links in

<a href= “http://{IP or URL}”>, {text} </a>

Images (can compromise, or “Web Bug”) in

<img src=“{IP, URL or filename}” … >

Programs to Use

nslookup (dig, host) - IP from URL, or URL from IP

whois - Register of domain (not URL)

traceroute - path of packets through routers

Configure email reader to not downloadlinks automatically

8


Slide9 l.jpg

Internet Architecture

Browser

Web Server

Router

Application

Application

Layer

Layer

(HTTP)

(HTTP)

Port 31337

Port 80

Buffers Packets that

Transport

Transport

need to be forwarded

(based on IP address).

Layer

Layer

(TCP,UDP)

(TCP,UDP)

Segment No.

Segment No.

Network

Network

Layer (IP)

Layer (IP)

IP Address

130.207.22.5

IP Address

24.88.15.22

Network

Network

Layer

Layer

Token Ring

E'net Data

Token Ring

E'net Data

Link Layer

Link Layer

Data-Link Layer

Data Link Layer

Token Ring

Ethernet

Token Ring

E'net Phys.

Phys. Layer

Phys. Layer

Layer

Phys. Layer

9


Slide10 l.jpg

IPsec - Security Associations

Transport, Host-Host

Tunnel, Gateway-Gateway (Routers)

10


Slide11 l.jpg

local DNS server

dns.poly.edu

Fast Flux DNSURL in Phish -> One of Many bots

root DNS server

  • Host at poly.edu wants IP address for www.urhckd.com

  • Host sends a "recursion-requested" query request to dns.poly.edu.

  • [Host is doing a non-recursive search]

  • Local DNS server does a "recursive" search. This requires contacting several other DNS servers before the final answer is given to host.

2

3

TLD DNS server

4

5

Fast Flux - many IP’s of bot Phishing sites.

6

7

1

8

Note: the dot after "com" below is necessary to avoid getting the same cached answer from dns.poly.edu.

authoritative DNS server

dns.urhcked.com

requesting host

joe.poly.edu

$ nslookup www.urhckd.com.

answer 78.82.245.12

$ nslookup www.urhckd.com.

answer 53.119.24.124

2: Application Layer

11

From “Computer Networking: A Top Down Approach Featuring the Internet”, by Jim Kurose & Keith Ross


Slide12 l.jpg

DNS Cache Poisoning - Birthday Attack

<- Sending 260

requests for same domain, cnn.com,

and N Replies

with fake Auth. N.S. IP address.

with random IDs

Lookup www.cnn.com

Time

*

www.cnn.com is 66.66.66.66

www.cnn.com is 66.66.66.66

<- Correct guess

of one ID.

Probable no. of hits

260*N/(256^2)

=1 if N =252

Prob(hits>0)=0.63

Total packets = 512

www.cnn.com is 66.66.66.66

www.cnn.com is 66.66.66.66

www.cnn.com is 66.66.66.66

www.cnn.com is 66.66.66.66

www.cnn.com is 66.66.66.66

www.cnn.com is 66.66.66.66

Local DNS ->

caches

www.cnn.com =

66.66.66.66

www.cnn.com is 66.66.66.66

dns.cnn.com is64.236.90.21

* Local DNS sends 260 queries with different IDs.

Local DNS NS-CNN.COM Hacker

DOS Attack

12


Slide13 l.jpg

Combo* called: HTTPS

SFTP

ESMTP

(SNMP version 3)

Hyper Text Transport Protocol,

Secure File Transport Protocol,

Enhanced Simple Mail Transport Protocol = TLS + SMTP

Secure Socket Layer ~= Transport Layer Security

13


Slide14 l.jpg

Definitions

Virus - code that copies itself into other programs.

A “Bacteria” replicates until it fills all disk space, or CPU cycles.

Payload - harmful things the malicious program does, after it has had time to spread.

Worm - a program that replicates itself across the network (usually riding on email messages or attached documents (e.g., macro viruses). Email “viruses” are technically “worms”.

Trojan Horse - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net).

Logic Bomb - malicious code that activates on an event (time, trigger).

Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users.

“Vulnerability” - a program defect that permits “Intrusions”.

Easter Egg - extraneous code that does something “cool.” A way for programmers to show that they control the product.

Bot, BotNet - Large P2P network (hundreds to millions) of compromised computers (Bots) that communicate to commit DDoS, SPAM, Phish.

14


Slide15 l.jpg

The Stages of a Network Intrusion [RAERU]

1. Scan the network to: [RECONNAISANCE]

• locate which IP addresses are in use,

• what operating system is in use,

• what TCP or UDP ports are “open” (being listened to

by Servers).

2. Run “Exploit” scripts against open ports. [ACCESS]

3. Elevate privileges to “root” privileges. [ELEVATE]

4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. [ROOT KIT]

5. Use IRC (Internet Relay Chat) to invite friends to the feast, or use the computer and its info another way. [UTILIZE]

Flow-based* "CI", signature-based?

Vulnerability Scan

Signature?, Flow-Based Port Profile*

Host-based

Signature?, "Port-Profile*", Forbidden Zones*, Host-based

Signature?, "Port-Profile*", Forbidden Zones*, Host-based

* StealthWatch

15


Slide16 l.jpg

Protection from a Network Intrusion

1. Use a “Firewall” between the local area network and the world-wide Internet to limit access (Chapter 10).

2. Use an IDS (Intrusion Detection System) to detect Cracker during the scanning stage (lock out the IP address, or monitor and prosecute).

3. Use a program like TripWire on each host to detect when systems files are altered, and email an alert to Sys Admin.

4. Microsoft PC: (XP SP3, Vista, or "7") use the OS firewall that limits incoming and outgoing communications by Application (program), not just port number. Mac: buy "Little Snitch".

General Protection: Update OS, anti-virus, applications as frequently as possible.

Rule 2: Multiple Layers of Protection are needed to reach a high level of security at an affordable cost.

16


Slide17 l.jpg

Anomaly-Based Intrusion Detection

A Negative Event, True or False, is one that does not trigger an Alarm

High statistical variation in most measurable network behavior parameters results in high false-alarm rate

Detected as Positive, -> Alarm

#False-Positives =

#Normal Events

x FP-rate

#False-Negatives =

#Bad Events

x FN-rate

False

Alarms,

False Positives

(FP)

Undetected

Intrusions,

False Negatives

(FN)

# Normal Events =

#TruePositves + #FalsePositives

Detection Threshold

Figure 9.1

17


Slide18 l.jpg

"Base-Rate Fallacy" Calculations

If the “behavior” is a connection:

For legitimate connections (total number = LC)

True-Negative-Rate + False-Positive-Rate = TNR + FPR = 1

Correctly handled connections (no alarms) = TNR * LC

Incorrectly handled connections (false alarms) = FPR * LC

For malicious connections (total number = MC)

False-Negative-Rate + True-Positive-Rate = FNR + TPR = 1

Correctly handled connections (real alarms) = TPR * MC

Incorrectly handled connections (no alarms) = FNR * MC

If LC >> MC then (FPR * LC) >> (TPR * MC)

hence “false alarms” are much greater than “real alarms”

when FPR >> MC/LC (tiny) (TPR is 1- FNR or approx. 1)

See Slide Set 09A, #17 for example calculations.

18


Slide19 l.jpg

HW

What was learned from homework problems?

Outside Reading

Government Security Requirements for Utility Networks – debate in congress.

Pentagon – doing what.

Advance Persistent Threat – who’s doing it, and why.

Adobe Systems – vulnerabilities in what products.

Oracle - vulnerabilities in what products.

19


Slide20 l.jpg

The test will cover the slide sets: 05a-PGP-Email.ppt, 05b-SMIME.ppt,

05c-Phishing Email.ppt, 05d-Phishing Email 2.ppt, 05e-Plain Text Email.ppt

06a DNS.ppt, 06-IP Networks.ppt, 09a-Intrusion.ppt

It will not cover Simple Network Management Protocol (08-SNMP.ppt).

You will be able to bring your Quiz-1 reference sheet. You should review areas you missed on Quiz-1. 

We discussed SSL/TLS in connection with Public-Private keys, and had a guest speaker, George Macon, talk about problems and changes to SSL. His slides are available at:

http://www.csc.gatech.edu/copeland/jac/6612/slides/07b-SSL_TLS 2013.pdf

http://www.csc.gatech.edu/copeland/jac/6612/slides/07b-SSL_TLS 2013.pdf

You should know a lot about SSL by now.  You may benefit from briefly reviewing the SSL part of (07-SSL-SET.ppt.

We will not cover SET (Secure Electronic Transactions) protocol this year .  It has some interesting technology, like the "dual signature,"  but the standard has not gained traction after several years.

20


  • Login