Professional Documents
Culture Documents
Cyber Space
Computer Security
Secure computing platform, designed so that agents (users or
programs) can only perform actions that have been allowed.
This involves specifying and implementing a security.
Computer security is the effort to create a policy
Information Security
Information security is not confined to computer systems, nor
to information in an electronic or machine-readable form. It
applies to all aspects of safeguarding or protecting information
or data, in whatever form.
Network Security
Protection of networks and their services from unauthorized
modification, destruction, or disclosure, and provision of
assurance that the network performs its critical functions
correctly and there are no harmful side-effects.
Information Protection
Information are an important strategic and
operational asset for any organization
Damages and misuses of information
affect not only a single user or an
application; they may have disastrous
consequences on the entire organization
Additionally, the advent of the Internet as
well as networking capabilities has made
the access to information much easier
Information Security
additional requirements
Information Quality it is not considered
traditionally as part of information security
but it is very relevant
Completeness it refers to ensure that
subjects receive all information they are
entitled to access, according to the stated
security policies
Data vs Information
Computer security is about controlling access to
information and resources
Controlling access to information can sometimes
be quite elusive and it is often replaced by the
more straight forward goal of controlling access
to data
The distinction between data and information is
subtle but it is also the root of some of the more
difficult problems in computer security
Data represents information. Information is the
(subjective) interpretation of data
Data vs Information
Data vs Information
Protecting information means to protect
not only the data directly representing the
information
Information must be protected also against
transmissions through:
Inference
It is typical of database systems
It refers to the derivation of sensitive
information from non sensitive data
Attack:
Any
action
that
compromises the security of information.
Security Mechanism: A mechanism that is
designed to detect, prevent, or recover from a
security attack.
Security Service: A service that enhances
the security of data processing systems and
information transfers.
A security service
makes use of one or more security mechanisms.
Security Attacks
Interruption: This is an attack on
availability
Interception: This is an attack on
confidentiality
Modification: This is an attack on
integrity
Fabrication: This is an attack on
authenticity
Security Attacks
Security Attacks
Interruption: This is an attack on availability
Interception: This is an attack on
confidentiality
Modification: This is an attack on integrity
Fabrication: This is an attack on authenticity
Security Services
Confidentiality (privacy)
Authentication (who created or sent the data)
Integrity (has not been altered)
Non-repudiation (the order is final)
Access control (prevent misuse of resources)
Availability (permanence, non-erasure)
Denial of Service Attacks
Virus that deletes files
10
11
Methods of Defence
Encryption
Software Controls (access limitations
in a data base, in operating system
protect each user from other users)
Hardware Controls (smartcard)
Policies (frequent changes of
passwords)
Physical Controls
Basic Terminology
plaintext - the original message
ciphertext - the coded message
cipher - algorithm for transforming plaintext to
ciphertext
key - info used in cipher known only to sender/receiver
encipher (encrypt) - converting plaintext to ciphertext
decipher (decrypt) - recovering ciphertext from
plaintext
cryptography - study of encryption principles/methods
cryptanalysis (codebreaking) - the study of principles/
methods of deciphering ciphertext without knowing key
cryptology - the field of both cryptography and
cryptanalysis
12
13
Privacy
Privacy is the ability of a person to
control the availability of information
about and exposure of him- or herself.
Where is my data?
How is it used?
Who sees it?
Is anything private anymore?
Privacy
Additionally, the advent of the
Internet as well as networking
capabilities has made the
access to information much easier.
Damages and misuses of information affect
not only a single user or an application; they
may have disastrous consequences on the
entire organization
14
Privacy in Cyberspace
The Internet offers many benefits:
Electronic mail
instant messaging
Chat rooms
YOU
Search for
medical
information
Buy book
Set
cookie
Ad
Search
engine
Read
cookie
With cooperation
from book store, ad
company can get
your name and
address from
book order and
link them to
your search
Ad
Book
Store
15
Cookies
Cookies can be useful
used like a staple to attach multiple parts
of a form together
used to identify you when you return to a
web site so you dont have to remember a
password
used to help web sites understand how
people use them
16
17
18
Cross Side
Scripting ( XSS)
19
Cross Side
Scripting ( XSS)
<script>document.location="hack.html"</script>
20
Enter 100
SQL Injection
Attack
12' or '1'='1
(OR condition pass as parameter
to make where clause true )
21
Firewall Limitation
22
Multi-Step Attack
Vulnerable
Web Site
1. Find Vulnerable
web Site
Victim
Attacker
23
Information Security:
Solution
24
Privacy
How Did They Get My Data?
Loans
Charge accounts
Orders via mail
Magazine subscriptions
Tax forms
Applications for
schools, jobs, clubs
Insurance claim
Hospital stay
Sending checks
Fund-raisers
Advertisers
Warranties
Military draft
registration
Court petition
Privacy
How Did They Get My Data?
25
Information Protection
Protecting information means to
protect not only the data directly
representing the information
Information must be protected also
against transmissions through:
Inference
It is typical of database systems
It refers to the derivation of sensitive
information from non sensitive data
26
Inference - Example
Assume that there is a policy stating that the
average grade of a single student cannot be
disclosed; however statistical summaries can
be disclosed Suppose that an attacker knows
that Carol is a female CS
27
Encryption Tools
Encryption tools
File encryption
Email encryption
Encrypted network connections
Examples: SSL, PGP, Encryptionizer
Pros:
Inexpensive (free) / Easily accessible
Cons:
Encryption Software isnt used unless it is built-in to the
software
Both parties need to use the same software
Conclusions:
Easy access
All parties need to use the same tool
Good start but not sufficient enough
Encryption tools
File encryption
Email encryption
available as plug-ins
Web-based encrypted email
Email that self-destructs Disappearing, Inc.
28
Disappearing, Inc.
Filtering Tools
Cookies Cutter
Programs that prevent browsers
from exchanging cookies
Can block:
Cookie /Pop-ups
http headers that reveal sensitive info
Banner ads / Animated graphics
Spywar
Spyware Killer
Spyware programs gather info and send it to
websites
Downloaded without user knowledge
29
Anonymity
Anonymity is derived from the Greek word ,
meaning "without a name" or "namelessness". In
colloquial use, the term typically refers to a person,
and often means that the personal identity, or
personally identifiable information of that person is
not known.
"anonymous message"
ANONYMITY
Anonymous Remailer. These
systems either give you an
anonymous address, to which
other people can send you mail,
which is then forwarded to your
real address (this is sometimes
referred to as a pseudonymous
server
Email spoofing :A spoofed
email is one that appears to
originate from one source
but actually has been sent
from another source.
30
Anonymizing proxy
Acts as a proxy for users
Hides information from end servers
Request
Browser
Request
Proxy
Reply
Reply
End
Server
31
http://www.anonymizer.com
Pseudonymity tools
Automatically generate user names, passwords,
email addresses, etc. unique to each
web site you visit
quote.com
mfjh
Proxy
username
asef
dsfdf
nytimes.com
expedia.com
32
33
34
35
36
EMAIL HEADER
Delivered-To: ranjansingh06@gmail.com Received: by 10.115.55.2 with SMTP id h2cs59002wak; Wed, 8 Apr
2009 10:38:05 -0700 (PDT) Received: by 10.210.53.5 with SMTP id b5mr3667848eba.12.1239212284303;
Wed, 08 Apr 2009 10:38:04 -0700 (PDT) Return-Path: <manmohansingh@gmail.com> Received: from
Bumba.profithost.net ([89.248.172.66]) by mx.google.com with ESMTP id
8si8244998ewy.109.2009.04.08.10.38.03; Wed, 08 Apr 2009 10:38:04 -0700 (PDT) Received-SPF: neutral
(google.com: 89.248.172.66 is neither permitted nor denied by domain of manmohansingh@gmail.com) clientip=89.248.172.66; Authentication-Results: mx.google.com; spf=neutral (google.com: 89.248.172.66 is neither
permitted nor denied by domain of manmohansingh@gmail.com) smtp.mail=manmohansingh@gmail.com
Received: from localhost ([127.0.0.1] helo=fakesend.com) by Bumba.profithost.net with esmtp (Exim 4.67)
(envelope-from <manmohansingh@gmail.com>) id 1Lrcf9-0007hi-8i for ranjansingh06@gmail.com; Wed, 08 Apr
2009 13:38:15 -0500 Date: Wed, 8 Apr 2009 13:38:15 -0500 To: ranjansingh06@gmail.com From: dr
manmohan singh <manmohansingh@gmail.com> Subject: appointment Message-ID:
<ddbe7ca7a7f3766f4b133647a88e0d4b@fakesend.com> X-Priority: 3 X-Mailer: PHPMailer [version 1.73]
MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="iso-8859-1"
congaratulation.............
37
headertool.apelord.com
38
39
Private Identity
iPrivacy ABCDEF
1 dQg85xP26
Kansas City, KS
11122
ABCDEF@iPrivacy.com
WEB e- Tailer
Order Entry System
Submit Credit Card
If Authorized Ship Product
Shipping Subsystem
WEB FORM
Name : iPrivacy ABCDEF
1 dQg85xP26
Address:
:
City : Kansas City
State : KS
Zip : 11122
Email : ABCDEF @iPrivacy.com
iPrivacy ABCDEF
1 MAIN ST
Kansas City, KS 11122
40
Incogno SafeZone
The merchant offers Incogno
SafeZone from its site
Incogno SafeZone
Incogno reinforces that the
purchase is anonymous.
41
Privacy policies
Policies let consumers know about
sites privacy practices
Consumers can then decide whether or
not practices are acceptable, when to
opt-in or opt-out, and who to do
business with
The presence or privacy policies
increases consumer trust
Policies
Policy says what is, and is not, allowed
This defines security for the information
Component of a security Policy
Who can use resources
Proper use of the resources
Granting access & use
System Administrator privileges
User rights & responsibilities
What to do with sensitive information
Desired security configurations of systems
42
Policy Tools
P3P (Platform for Privacy Preferences)
Developed by World Wide Web Consortium
Usage:
Users declare their privacy policy on their browsers
Websites register their policy with Security agencies
The website policy is compared with user policy and the
browser makes automated decisions
Benefits:
Might help uncover privacy gaps for websites
Can block cookies or prevent access to some sites
43
service
user
agreement
user data
repository
data
practices
preferences
Privacy policy
P3P policy
Precisely scoped
44
45
The Internet
Anonymizing agent
Regulatory
and
self-regulatory
framework
User
Secure
channel
Cookie cutter
Service
Regulatory
and
self-regulatory
framework
46
"Private" Services
Virtually all online services offer some sort of
"private" activity that allows subscribers to send
personal e-mail messages to others.
The federal Electronic Communications Privacy Act
(ECPA)
makes
it
unlawful
under
certain
circumstances for someone to read or disclose the
contents of an electronic communication.
But, ECPA is a complicated law and contains many
exceptions.
47
Privacy in Cyberspace
The Internet offers many benefits:
Web sites provide a vast world of information,
entertainment, and shopping at our fingertips.
Electronic mail, instant messaging, and chat rooms
enable us to communicate with friends, family, and
strangers in ways we never dreamed of a decade
ago.
Online Communications
48
Public Activities
Newsgroups.
For example, a message you post to a public
newsgroup or forum is available for anyone to
view, copy, and store.
In addition, your name, electronic mail (e-mail)
address, and information about your service
provider are usually available for inspection as
part of the message itself.
Before you post a message to a public forum, ask
yourself if want an employer or family member to
be able to read your posting in years to come.
Public Activities
List serves.
Other public activities may allow message to be
sent to multiple recipients.
Online newsletters and "listserves" are sent to a
mailing list of subscribers.
If you wish to privately reply to an individual who
has posted a message in an online newsletter or
listserve, be sure you address it specifically to that
person's address, not to the newsletter address.
49
Public Activities
Subscriber directories.
Most ISPs provide online
member
directories
that
publicly list all subscribers to
the service.
Some of these directories may
list
additional
personal
information.
Most
service
providers will allow users to
remove their information from
these
directories
upon
request.
Be aware that some service
providers may sell their
membership lists to direct
marketers.
Public Activities
Domain registration.
Many individuals obtain their own website
name, called domain names, for example,
www.XYZfamily.org.
Domain registrations are public
information. Anyone can look up the owner
of a domain name online by using a
service such as www.checkdomain.com or
www.internic.net/whois.html.
Don't use personal e-mail or home address
information when you register for a
personal domain name.
50
51
Protect privacy in
cyberspace?
Do not use public terminals :- Publiclyavailable Internet terminals are not likely to
be closely supervised to ensure online
privacy and security. They are used by
many individuals every day.
Create passwords with nonsensical
combinations of upper and lower case
letters, numbers and symbols, for example
tY8%uX.
52
Protect privacy in
cyberspace?
Look for the privacy policy of the online
services you use. . If you are not satisfied
with the policy, or if there is no policy or
seal logo posted, avoid using the site.
Check your browser's cookie settings.
Shop around. Investigate new services
before using them. Post a question about a
new service in a dependable forum or
newsgroup.
Protect my privacy in
cyberspace
Do not provide sensitive personal information
Be cautious of "start-up" software that
registers you as a product user and makes an
initial connection to the service for you.
Typically, these programs require you to
provide financial account data or other
personal information, and then upload this
information automatically to the service.
Use a pseudonym and a non descriptive email address when you participate in public
forums.
53
USB
devices
plugged
into this
machine
54
55
56
57
58
59
Firewall log
60
References
1. Privacy Enhancing Technologies (PET), Bobby
Vellanki Computer Science Dept. Yale University
Oct . 2003
2. Overview of Information Security Elisa Bertino
CERIAS and CS &ECE Departments Purdue
University.
3. Online Privacy Technologies Dr. Lorrie Faith
Cranor
AT&T
Labs-Research
61
Email :-
deepaktomar@manit.ac.in
By
62