1 / 20

Quiz-2 Review ECE-6612 csc.gatech / copeland / jac /6612/ Prof. John A. Copeland john.copeland@ece.gatech 404 894-5177

Quiz-2 Review ECE-6612 http:// www.csc.gatech.edu / copeland / jac /6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: Klaus 3362 email or call for office visit, or call 404 894-5177 2013. Quiz-2 Topic Areas. Quiz-2 Topic Areas.

tam
Download Presentation

Quiz-2 Review ECE-6612 csc.gatech / copeland / jac /6612/ Prof. John A. Copeland john.copeland@ece.gatech 404 894-5177

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Quiz-2 Review ECE-6612 http://www.csc.gatech.edu/copeland/jac/6612/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: Klaus 3362 email or call for office visit, or call 404 894-5177 2013

  2. Quiz-2 Topic Areas Quiz-2 Topic Areas Email Security - PGP, S/MIME IP Security - IPsec (AH, ESP modes, VPN) Web Security - Secure Socket Layers (SSL, TLS) - Certificates, CA’s, Hashes (MD5) Intruders (and other Malicious Users) - Protection DNS - cache poisoning (Birthday Attack used) IDS - (Base-Rate Fallacy, False-Positive Rate) Viruses - Worms, Trojan Horses, Logic Bombs, ... We did not do slides 9c, but we have discussed: BotNets, DDos, SPAM, Phishing 2

  3. Email Privacy Establishing Keys • Public Key Certification • Exchange Public Keys Multiple Recipients • Encrypt message m with session key, S • Encrypt S with each recipient's key Send: {S; Kbob}, {S; Kann}, ... , {m; S} • Authentication of Source (digital signatures) Hash (MD5, SHA2) of message, encrypted with signer's private key. Check by decrypting with signer's public key, and compare to new hash. • 3

  4. Digital Signature 4 From "PGP Freeware for MacOS, User's Guide" Version 6.5, Network Associates, Inc., www.pgp.com

  5. PGP Email Receiver Typed Passphrase Your Private Key Ring Public Key Ring H - Hash DC - Symmetric Decryption DP - Pub./Priv. Decryption Receiver’s Private Key Sender’s Public Key Session Key Check Signature Message ZIP Decompress R64 Decode to binary p.144-145 ed.3 5

  6. R64 Encode: Every 3 bytes split into 4 6-bit numbers 011001001011010101101010 n = 0 to 63 * 01011001 01001011 01010101 01101010 printable characters a-z A-Z 0-9 + / in a received message, “=“, “>”, CR, LF, ... are ignored * for most 6-bit inputs, R64(n) just adds 64 (puts an “01” in front) 6

  7. Simple Mail Transfer Protocol (SMTP, RFC 822) SMTP Limitations - Can not transmit, or has a problem with: • executable files, or other binary files (jpeg image). • “national language” characters (non-ASCII) • messages over a certain size • ASCII to EBCDIC (or other character set) translation problems • lines longer than a certain length (72 to 254 characters) MIME Defined Five New Headers • MIME-Version. Must be “1.0” -> RFC 2045, RFC 2046 • Content-Type. More types being added by developers (application/word) • Content-Transfer-Encoding. How message has been encoded (radix-64) • Content-ID. Unique identifying character string. • Content Description. Needed when content is not readable text (e.g.,mpeg) Canonical Form: Standard format for use between systems ( not a “native” format - GIF).

  8. Investigating Email You Receive Look at “Raw” or “Source” Message to see: Headers (from? -“Received:” headers (IP, time zone) HTML Links (where they will take you) Investigate Source (who sent it) - Lowest "Received:” header Active Links in <a href= “http://{IP or URL}”>, {text} </a> Images (can compromise, or “Web Bug”) in <img src=“{IP, URL or filename}” … > Programs to Use nslookup (dig, host) - IP from URL, or URL from IP whois - Register of domain (not URL) traceroute - path of packets through routers Configure email reader to not downloadlinks automatically 8

  9. Internet Architecture Browser Web Server Router Application Application Layer Layer (HTTP) (HTTP) Port 31337 Port 80 Buffers Packets that Transport Transport need to be forwarded (based on IP address). Layer Layer (TCP,UDP) (TCP,UDP) Segment No. Segment No. Network Network Layer (IP) Layer (IP) IP Address 130.207.22.5 IP Address 24.88.15.22 Network Network Layer Layer Token Ring E'net Data Token Ring E'net Data Link Layer Link Layer Data-Link Layer Data Link Layer Token Ring Ethernet Token Ring E'net Phys. Phys. Layer Phys. Layer Layer Phys. Layer 9

  10. IPsec - Security Associations Transport, Host-Host Tunnel, Gateway-Gateway (Routers) 10

  11. local DNS server dns.poly.edu Fast Flux DNSURL in Phish -> One of Many bots root DNS server • Host at poly.edu wants IP address for www.urhckd.com • Host sends a "recursion-requested" query request to dns.poly.edu. • [Host is doing a non-recursive search] • Local DNS server does a "recursive" search. This requires contacting several other DNS servers before the final answer is given to host. 2 3 TLD DNS server 4 5 Fast Flux - many IP’s of bot Phishing sites. 6 7 1 8 Note: the dot after "com" below is necessary to avoid getting the same cached answer from dns.poly.edu. authoritative DNS server dns.urhcked.com requesting host joe.poly.edu $ nslookup www.urhckd.com. answer 78.82.245.12 $ nslookup www.urhckd.com. answer 53.119.24.124 2: Application Layer 11 From “Computer Networking: A Top Down Approach Featuring the Internet”, by Jim Kurose & Keith Ross

  12. DNS Cache Poisoning - Birthday Attack <- Sending 260 requests for same domain, cnn.com, and N Replies with fake Auth. N.S. IP address. with random IDs Lookup www.cnn.com Time * www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 <- Correct guess of one ID. Probable no. of hits 260*N/(256^2) =1 if N =252 Prob(hits>0)=0.63 Total packets = 512 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 Local DNS -> caches www.cnn.com = 66.66.66.66 www.cnn.com is 66.66.66.66 dns.cnn.com is64.236.90.21 * Local DNS sends 260 queries with different IDs. Local DNS NS-CNN.COM Hacker DOS Attack 12

  13. Combo* called: HTTPS SFTP ESMTP (SNMP version 3) Hyper Text Transport Protocol, Secure File Transport Protocol, Enhanced Simple Mail Transport Protocol = TLS + SMTP Secure Socket Layer ~= Transport Layer Security 13

  14. Definitions Virus - code that copies itself into other programs. A “Bacteria” replicates until it fills all disk space, or CPU cycles. Payload - harmful things the malicious program does, after it has had time to spread. Worm - a program that replicates itself across the network (usually riding on email messages or attached documents (e.g., macro viruses). Email “viruses” are technically “worms”. Trojan Horse - instructions in an otherwise good program that cause bad things to happen (sending your data or password to an attacker over the net). Logic Bomb - malicious code that activates on an event (time, trigger). Trap Door (or Back Door) - undocumented entry point written into code for debugging that can allow unwanted users. “Vulnerability” - a program defect that permits “Intrusions”. Easter Egg - extraneous code that does something “cool.” A way for programmers to show that they control the product. Bot, BotNet - Large P2P network (hundreds to millions) of compromised computers (Bots) that communicate to commit DDoS, SPAM, Phish. 14

  15. The Stages of a Network Intrusion [RAERU] 1. Scan the network to: [RECONNAISANCE] • locate which IP addresses are in use, • what operating system is in use, • what TCP or UDP ports are “open” (being listened to by Servers). 2. Run “Exploit” scripts against open ports. [ACCESS] 3. Elevate privileges to “root” privileges. [ELEVATE] 4. Download from Hacker Web site special versions of systems files that will let Cracker have free access in the future without his cpu time or disk storage space being noticed by auditing programs. [ROOT KIT] 5. Use IRC (Internet Relay Chat) to invite friends to the feast, or use the computer and its info another way. [UTILIZE] Flow-based* "CI", signature-based? Vulnerability Scan Signature?, Flow-Based Port Profile* Host-based Signature?, "Port-Profile*", Forbidden Zones*, Host-based Signature?, "Port-Profile*", Forbidden Zones*, Host-based * StealthWatch 15

  16. Protection from a Network Intrusion 1. Use a “Firewall” between the local area network and the world-wide Internet to limit access (Chapter 10). 2. Use an IDS (Intrusion Detection System) to detect Cracker during the scanning stage (lock out the IP address, or monitor and prosecute). 3. Use a program like TripWire on each host to detect when systems files are altered, and email an alert to Sys Admin. 4. Microsoft PC: (XP SP3, Vista, or "7") use the OS firewall that limits incoming and outgoing communications by Application (program), not just port number. Mac: buy "Little Snitch". General Protection: Update OS, anti-virus, applications as frequently as possible. Rule 2: Multiple Layers of Protection are needed to reach a high level of security at an affordable cost. 16

  17. Anomaly-Based Intrusion Detection A Negative Event, True or False, is one that does not trigger an Alarm High statistical variation in most measurable network behavior parameters results in high false-alarm rate Detected as Positive, -> Alarm #False-Positives = #Normal Events x FP-rate #False-Negatives = #Bad Events x FN-rate False Alarms, False Positives (FP) Undetected Intrusions, False Negatives (FN) # Normal Events = #TruePositves + #FalsePositives Detection Threshold Figure 9.1 17

  18. "Base-Rate Fallacy" Calculations If the “behavior” is a connection: For legitimate connections (total number = LC) True-Negative-Rate + False-Positive-Rate = TNR + FPR = 1 Correctly handled connections (no alarms) = TNR * LC Incorrectly handled connections (false alarms) = FPR * LC For malicious connections (total number = MC) False-Negative-Rate + True-Positive-Rate = FNR + TPR = 1 Correctly handled connections (real alarms) = TPR * MC Incorrectly handled connections (no alarms) = FNR * MC If LC >> MC then (FPR * LC) >> (TPR * MC) hence “false alarms” are much greater than “real alarms” when FPR >> MC/LC (tiny) (TPR is 1- FNR or approx. 1) See Slide Set 09A, #17 for example calculations. 18

  19. HW What was learned from homework problems? Outside Reading Government Security Requirements for Utility Networks – debate in congress. Pentagon – doing what. Advance Persistent Threat – who’s doing it, and why. Adobe Systems – vulnerabilities in what products. Oracle - vulnerabilities in what products. 19

  20. The test will cover the slide sets: 05a-PGP-Email.ppt, 05b-SMIME.ppt, 05c-Phishing Email.ppt, 05d-Phishing Email 2.ppt, 05e-Plain Text Email.ppt 06a DNS.ppt, 06-IP Networks.ppt, 09a-Intrusion.ppt It will not cover Simple Network Management Protocol (08-SNMP.ppt). You will be able to bring your Quiz-1 reference sheet. You should review areas you missed on Quiz-1.  We discussed SSL/TLS in connection with Public-Private keys, and had a guest speaker, George Macon, talk about problems and changes to SSL. His slides are available at: http://www.csc.gatech.edu/copeland/jac/6612/slides/07b-SSL_TLS 2013.pdf http://www.csc.gatech.edu/copeland/jac/6612/slides/07b-SSL_TLS 2013.pdf You should know a lot about SSL by now.  You may benefit from briefly reviewing the SSL part of (07-SSL-SET.ppt. We will not cover SET (Secure Electronic Transactions) protocol this year .  It has some interesting technology, like the "dual signature,"  but the standard has not gained traction after several years. 20

More Related