Quiz-2 Review
1 / 20

Quiz-2 Review ECE-6612 csc.gatech - PowerPoint PPT Presentation

  • Uploaded on

Quiz-2 Review ECE-6612 http:// www.csc.gatech.edu / copeland / jac /6612/ Prof. John A. Copeland [email protected] 404 894-5177 fax 404 894-0035 Office: Klaus 3362 email or call for office visit, or call 404 894-5177 2013. Quiz-2 Topic Areas. Quiz-2 Topic Areas.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Quiz-2 Review ECE-6612 csc.gatech' - tam

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Slide1 l.jpg

Quiz-2 Review



Prof. John A. Copeland

[email protected]

404 894-5177

fax 404 894-0035

Office: Klaus 3362

email or call for office visit, or call 404 894-5177


Slide2 l.jpg

Quiz-2 Topic Areas

Quiz-2 Topic Areas

Email Security - PGP, S/MIME

IP Security - IPsec (AH, ESP modes, VPN)

Web Security - Secure Socket Layers (SSL, TLS)

- Certificates, CA’s, Hashes (MD5)

Intruders (and other Malicious Users) - Protection

DNS - cache poisoning (Birthday Attack used)

IDS - (Base-Rate Fallacy, False-Positive Rate)

Viruses - Worms, Trojan Horses, Logic Bombs, ...

We did not do slides 9c, but we have discussed:

BotNets, DDos, SPAM, Phishing


Slide3 l.jpg

Email Privacy

Establishing Keys

Public Key Certification

Exchange Public Keys

Multiple Recipients

Encrypt message m with session key, S

Encrypt S with each recipient's key

Send: {S; Kbob}, {S; Kann}, ... , {m; S}

Authentication of Source (digital signatures)

Hash (MD5, SHA2) of message, encrypted with signer's private key. Check by decrypting with signer's public key, and compare to new hash.


Slide4 l.jpg

Digital Signature


From "PGP Freeware for MacOS, User's Guide" Version 6.5, Network Associates, Inc., www.pgp.com

Slide5 l.jpg

PGP Email Receiver

Typed Passphrase

Your Private Key Ring

Public Key Ring

H - Hash

DC - Symmetric


DP - Pub./Priv.



Private Key


Public Key

Session Key

Check Signature


ZIP Decompress

R64 Decode to binary

p.144-145 ed.3


Slide6 l.jpg

R64 Encode: Every 3 bytes split into 4 6-bit numbers


n = 0 to 63


01011001 01001011 01010101 01101010

printable characters a-z A-Z 0-9 + /

in a received message, “=“, “>”, CR, LF, ... are ignored

* for most 6-bit inputs, R64(n) just adds 64 (puts an “01” in front)


Slide7 l.jpg

Simple Mail Transfer Protocol (SMTP, RFC 822)

SMTP Limitations - Can not transmit, or has a problem with:

• executable files, or other binary files (jpeg image).

• “national language” characters (non-ASCII)

• messages over a certain size

• ASCII to EBCDIC (or other character set) translation problems

• lines longer than a certain length (72 to 254 characters)

MIME Defined Five New Headers

• MIME-Version. Must be “1.0” -> RFC 2045, RFC 2046

• Content-Type. More types being added by developers (application/word)

• Content-Transfer-Encoding. How message has been encoded (radix-64)

• Content-ID. Unique identifying character string.

• Content Description. Needed when content is not readable text (e.g.,mpeg)

Canonical Form: Standard format for use between systems ( not a “native” format - GIF).

Slide8 l.jpg

Investigating Email You Receive

Look at “Raw” or “Source” Message to see:

Headers (from? -“Received:” headers (IP, time zone)

HTML Links (where they will take you)


Source (who sent it) -

Lowest "Received:” header

Active Links in

<a href= “http://{IP or URL}”>, {text} </a>

Images (can compromise, or “Web Bug”) in

<img src=“{IP, URL or filename}” … >

Programs to Use

nslookup (dig, host) - IP from URL, or URL from IP

whois - Register of domain (not URL)

traceroute - path of packets through routers

Configure email reader to not downloadlinks automatically


Slide9 l.jpg

Internet Architecture


Web Server








Port 31337

Port 80

Buffers Packets that



need to be forwarded

(based on IP address).





Segment No.

Segment No.



Layer (IP)

Layer (IP)

IP Address

IP Address





Token Ring

E'net Data

Token Ring

E'net Data

Link Layer

Link Layer

Data-Link Layer

Data Link Layer

Token Ring


Token Ring

E'net Phys.

Phys. Layer

Phys. Layer


Phys. Layer


Slide10 l.jpg

IPsec - Security Associations

Transport, Host-Host

Tunnel, Gateway-Gateway (Routers)


Slide11 l.jpg

local DNS server


Fast Flux DNSURL in Phish -> One of Many bots

root DNS server

  • Host at poly.edu wants IP address for www.urhckd.com

  • Host sends a "recursion-requested" query request to dns.poly.edu.

  • [Host is doing a non-recursive search]

  • Local DNS server does a "recursive" search. This requires contacting several other DNS servers before the final answer is given to host.



TLD DNS server



Fast Flux - many IP’s of bot Phishing sites.





Note: the dot after "com" below is necessary to avoid getting the same cached answer from dns.poly.edu.

authoritative DNS server


requesting host


$ nslookup www.urhckd.com.


$ nslookup www.urhckd.com.


2: Application Layer


From “Computer Networking: A Top Down Approach Featuring the Internet”, by Jim Kurose & Keith Ross

Slide12 l.jpg

DNS Cache Poisoning - Birthday Attack

<- Sending 260

requests for same domain, cnn.com,

and N Replies

with fake Auth. N.S. IP address.

with random IDs

Lookup www.cnn.com



www.cnn.com is

www.cnn.com is

<- Correct guess

of one ID.

Probable no. of hits


=1 if N =252


Total packets = 512

www.cnn.com is

www.cnn.com is

www.cnn.com is

www.cnn.com is

www.cnn.com is

www.cnn.com is

Local DNS ->


www.cnn.com =

www.cnn.com is

dns.cnn.com is64.236.90.21

* Local DNS sends 260 queries with different IDs.

Local DNS NS-CNN.COM Hacker

DOS Attack


Slide13 l.jpg

Combo* called: HTTPS



(SNMP version 3)

Hyper Text Transport Protocol,

Secure File Transport Protocol,

Enhanced Simple Mail Transport Protocol = TLS + SMTP

Secure Socket Layer ~= Transport Layer Security


Slide14 l.jpg


Virus - code that copies itself into other programs.

A “Bacteria” replicates until it fills all disk space, or CPU cycles.

Payload - harmful things the malicious program does, after it has had time to spread.

Worm - a program that replicates itself across the network (usually riding on email messages or attached documents (e.g., macro viruses). Email “viruses” are technically “worms”.

Trojan Horse - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net).

Logic Bomb - malicious code that activates on an event (time, trigger).

Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users.

“Vulnerability” - a program defect that permits “Intrusions”.

Easter Egg - extraneous code that does something “cool.” A way for programmers to show that they control the product.

Bot, BotNet - Large P2P network (hundreds to millions) of compromised computers (Bots) that communicate to commit DDoS, SPAM, Phish.


Slide15 l.jpg

The Stages of a Network Intrusion [RAERU]

1. Scan the network to: [RECONNAISANCE]

• locate which IP addresses are in use,

• what operating system is in use,

• what TCP or UDP ports are “open” (being listened to

by Servers).

2. Run “Exploit” scripts against open ports. [ACCESS]

3. Elevate privileges to “root” privileges. [ELEVATE]

4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. [ROOT KIT]

5. Use IRC (Internet Relay Chat) to invite friends to the feast, or use the computer and its info another way. [UTILIZE]

Flow-based* "CI", signature-based?

Vulnerability Scan

Signature?, Flow-Based Port Profile*


Signature?, "Port-Profile*", Forbidden Zones*, Host-based

Signature?, "Port-Profile*", Forbidden Zones*, Host-based

* StealthWatch


Slide16 l.jpg

Protection from a Network Intrusion

1. Use a “Firewall” between the local area network and the world-wide Internet to limit access (Chapter 10).

2. Use an IDS (Intrusion Detection System) to detect Cracker during the scanning stage (lock out the IP address, or monitor and prosecute).

3. Use a program like TripWire on each host to detect when systems files are altered, and email an alert to Sys Admin.

4. Microsoft PC: (XP SP3, Vista, or "7") use the OS firewall that limits incoming and outgoing communications by Application (program), not just port number. Mac: buy "Little Snitch".

General Protection: Update OS, anti-virus, applications as frequently as possible.

Rule 2: Multiple Layers of Protection are needed to reach a high level of security at an affordable cost.


Slide17 l.jpg

Anomaly-Based Intrusion Detection

A Negative Event, True or False, is one that does not trigger an Alarm

High statistical variation in most measurable network behavior parameters results in high false-alarm rate

Detected as Positive, -> Alarm

#False-Positives =

#Normal Events

x FP-rate

#False-Negatives =

#Bad Events

x FN-rate



False Positives




False Negatives


# Normal Events =

#TruePositves + #FalsePositives

Detection Threshold

Figure 9.1


Slide18 l.jpg

"Base-Rate Fallacy" Calculations

If the “behavior” is a connection:

For legitimate connections (total number = LC)

True-Negative-Rate + False-Positive-Rate = TNR + FPR = 1

Correctly handled connections (no alarms) = TNR * LC

Incorrectly handled connections (false alarms) = FPR * LC

For malicious connections (total number = MC)

False-Negative-Rate + True-Positive-Rate = FNR + TPR = 1

Correctly handled connections (real alarms) = TPR * MC

Incorrectly handled connections (no alarms) = FNR * MC

If LC >> MC then (FPR * LC) >> (TPR * MC)

hence “false alarms” are much greater than “real alarms”

when FPR >> MC/LC (tiny) (TPR is 1- FNR or approx. 1)

See Slide Set 09A, #17 for example calculations.


Slide19 l.jpg


What was learned from homework problems?

Outside Reading

Government Security Requirements for Utility Networks – debate in congress.

Pentagon – doing what.

Advance Persistent Threat – who’s doing it, and why.

Adobe Systems – vulnerabilities in what products.

Oracle - vulnerabilities in what products.


Slide20 l.jpg

The test will cover the slide sets: 05a-PGP-Email.ppt, 05b-SMIME.ppt,

05c-Phishing Email.ppt, 05d-Phishing Email 2.ppt, 05e-Plain Text Email.ppt

06a DNS.ppt, 06-IP Networks.ppt, 09a-Intrusion.ppt

It will not cover Simple Network Management Protocol (08-SNMP.ppt).

You will be able to bring your Quiz-1 reference sheet. You should review areas you missed on Quiz-1. 

We discussed SSL/TLS in connection with Public-Private keys, and had a guest speaker, George Macon, talk about problems and changes to SSL. His slides are available at:

http://www.csc.gatech.edu/copeland/jac/6612/slides/07b-SSL_TLS 2013.pdf

http://www.csc.gatech.edu/copeland/jac/6612/slides/07b-SSL_TLS 2013.pdf

You should know a lot about SSL by now.  You may benefit from briefly reviewing the SSL part of (07-SSL-SET.ppt.

We will not cover SET (Secure Electronic Transactions) protocol this year .  It has some interesting technology, like the "dual signature,"  but the standard has not gained traction after several years.