1 / 25

Lecture 8 - Security

Lecture 8 - Security. 10 Laws of Security Cryptography Virus vs. Worm vs. Trojan Firewalls Checksums Passwords. 10 Laws of Security. If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.

gabi
Download Presentation

Lecture 8 - Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 8 - Security • 10 Laws of Security • Cryptography • Virus vs. Worm vs. Trojan • Firewalls • Checksums • Passwords

  2. 10 Laws of Security • If a bad guy can persuade you to run his program on your computer, it's not your computer anymore. • If a bad guy can alter the operating system on your computer, it's not your computer anymore. • If a bad guy has unrestricted physical access to your computer, it's not your computer anymore . • If you allow a bad guy to upload programs to your website, it's not your website any more. • Weak passwords trump strong security. • A computer is only as secure as the administrator is trustworthy • Encrypted data is only as secure as the decryption key • An out of date virus scanner is only marginally better than no virus scanner at all. • Absolute anonymity isn't practical, in real life or on the Web. • Technology is not a “cure-all” paradigm

  3. Cryptography • We’ve talked a bit about this with respect to ssh • Let’s cover it a little more

  4. Symmetric vs. Non-symmetric • Symmetric • One “shared” key to encrypt and decrypt • Asymmetric • Two “private” keys • Encryption with one requires decryption with the other

  5. Symmetric Algorithms • DES (Data Encryption Standard) • 56-bit key to encrypt 64-bit blocks • IDEA (International Data Encryption Algorithm) • 128-bit key to encrypt 64-bit blocks • Uses subkeys created from 128-bit key • Blowfish • Variable-length key (32-448 bits) • Unpatented and license-free

  6. Asymmetric Algorithms • DSA • Digital Signature Authority • RSA • Rivest, Shamir, and Adelman • “Magic” • Not really… • …but beyond scope of the class • …(and not on exam)

  7. Secure Communications • Public-key systems (asymmetric keys) too slow • Use public-key system to distribute symmetric keys • Remind you of anything?

  8. Digital Signatures • I need to know that the PDF someone sent me: • …really came from them • …has not been altered

  9. Digital Signatures • Chell computes a one-way hash of a document • One-way hash means AB is easy, but BA is hard, computational complexity-wise

  10. Digital Signatures • Chell encrypts hash with private key. • This is the signature

  11. Digital Signatures • Chell sends both items to Cave • Original document • Signature (private-key encrypted hash)

  12. Digital Signatures • Cave produces one-way hash of Chell’s document • Cave decrypts signature with Chell’s public key • Cave makes sure both hashes match

  13. Digital Certificates • We want to bind info (name, email, etc) to a public key • We want to distribute package to others • Why should anyone trust us?

  14. Digital Certificates • Certification Authority (CA) • Independent 3rd party • Pretend it’s a broker/arbitrator • Two purposes to certificates • Provides key so public can encrypt stuff for us only • Provides reassurance that we (as certificate holder) are really us

  15. Virus vs. Worm vs. Trojan • No OS is immune to the above • Linux/Apple do better • Newer? No! • Different security protocols? Nope! • Popularity? Yes!

  16. Terminology • Virus • Malicious “program” that modifies other programs • Spreads itself to them • It’s in ELF format • Not stand-alone (so not really a program) • Requires a host program to leech from

  17. Terminology • Worm • Malicious program that modifies other programs • Copies itself entirely • If it becomes part of another program, it’s a virus again • May contain viruses and other programs as the “payload”

  18. Terminology • Trojan • Program that appears to have one use, but actually has another • That ‘another’ thing is malicious • May actually do the intended things

  19. Terminology • Back door • Intentional software hole • Left by developers/administrators • Exploited by hackers* *Coming up in a second

  20. Terminology • Hackers • People that find weaknesses in computers and systems • Motivated by profit, protest, moral/ethical reasons, thrills, boredom, etc

  21. Terminology • Black hats • “Bad” guys • Criminals, etc • White hats • “Good” guys • Security experts, etc

  22. Terminology • Is pinging okay? • …maybe • Like knocking on everyone’s front door • Trying to make connection? • …probably not • Like going through front doors and looking around • If store, okay. If home, not at all!

  23. Terminology • Script kiddies • Run existing tools • They press the “Attack!” button and cackle endlessly • Understand what tool does • Little to no idea of the details

  24. Discussion topics • Right to privacy • Browsing history • Encrypted content • Hacking a banking system to prove it can be done?

  25. Discussion Topics • I am system admin at Bank XYZ • Found un-patchable hole • Do I • …turn off service? • Keep customer’s accounts secure but unusable • …leave service on? • Accounts useable, but vulnerable • …tell boss? …customers? …anyone?

More Related