General Topics - Security and Malware

Encryption - putting a message (E-mail, file etc.) into a form so that only selected people can decode it.
"Strong" encryption: Message cannot be cracked simply by trial and error even with supercomputers.
"Weak" encryption: Message can be cracked by trial and error if you use enough computing power.

Key - "Codeword" used to encrypt messages. Usually a number used to code the message using a mathematical method. The key can be many digits long (often 128 bytes).

Symmetric Key Encryption

Data is encrypted before transmission using a key. The same key is used at the other end to decrypt the message. This process is generally fast, but there is the problem of transmitting the key to the recipient(s) in the first place - as it can be intercepted (packet-sniffing or dictionary programs).

Plain text message

Encryption

(Message transmitted)

Decryption

Plain text message

• Data Encryption Standard - 56-bit key encryption standard. Widely used since the 1970s. Often considered sufficient for low-level security information.
• Triple DES - The message is encrypted using a 56-bit key, then again using another 56-bit key, then again using the first key. Stronger than DES and quite fast, but it can be implemented using standard DES hardware and software.
• Advanced Encryption Standard - Successor to DES, with 128-bit, 192-bit and 256-bit keys. Encrypts messages in 64-bit blocks at a time (block cypher).

Assymetric (Public Key) Encryption

A user creates two mathematically related keys, a public key and a private key, then makes the public key generally available (it doesn't matter who sees that). Anyone wanting to send a message to the user uses the public key to encrypt the message. The message can only be decrypted using the private key, which is never transmitted, thereby defeating any packet-sniffing attacks.

Plain text message

Encryption

(Message transmitted)

Decryption

Plain text message

Asymmetric key encryption takes considerably longer than symmetric key encryption, but is much more secure. Asymmetric algorithms include:

• RSA (Rivest, Shamir, Adelman)
• Digital Signature Algorithm (DSA), used for signing documents.
• PGP (Pretty Good Privacy). Download an international version.

Public key encryption - This is an assymetric key method.

1. The receiver generates two random keys using a program such as Pretty Good Privacy - a private key and a public key.
2. He/she publishes quite openly his/her "public" key. It doesn't matter who sees this.
3. The sender uses the receiver's public key to encrypt the message. The message cannot be decrypted without the receiver's private key (even by the sender!)
4. The encrypted message is transmitted. Anyone intercepting it cannot understand it.
5. The receiver decrypts the message using his/her private key - which must be kept secret.

RSA algorithm - The most common asymmetric algorithm, 1977 (Rivest, Shamir and Adelman).

Reasons businesses have for encrypting information include:

• detering hackers,
• protect proprietary data,
• complying with government regulations,
• responding to customer demands for increased security.

1. Simplest method is a username + password.
2. Digital certificate - password-protected, encrypted file containing message encryption, user identification and message text. Issued by trusted authorities e.g. Verisign.
3. Digital signature = Electronic stamp added to a message uniquely identifying the sender and verifying its contents.
4. Both digital certificates and signatures permit non-repudiation - you can't claim that you didn't send the message.

• Passwords.
  • Users are often forced to update their passwords after 30-90 days.
  • Users aren't allowed to re-choose a recently used password (password history)
  • Often passwords have a minimum length (e.g. must be 6 characters or more).
  • Passwords containing just letters are weak. If they contain a mixture of letters, digits and punctuation symbols, they are strong.
  • Passwords may be encrypted before being stored/transmitted. User types a plain-text password, the system encrypts it before comparing it to the stored version.
• Some physical item, such as a pass-key.
• Biometric data such as fingerprints.

Systems often employ account lockout, which disables the log-on process after between 3 and 5 unsuccessful attempts. Prevents dictionary or brute-force attacks.

Digital signature - appended to plain-text messages to prove authenticity.

• Sender creates a hash of the plain-text message.
• Encrypts the hash with a private key.
• Sends the message and the encrypted hash.
• Receiver decrypts the hash with the sender's public key.
• Receiver generates local copy of the hash from the received message and compares it with the decrypted hash.
• If they match, it proves the document has not been altered.

Network-level encryption provides encryption built-in to the OSI-RM model at the Network Layer (layer 6) e.g. Kerberos.

• Protocol used by most servers and most browsers for secure exchanges. It is commonly used for E-mail, FTP and E-commerce.
• It uses port 443.
• Originated by Netscape - current version is 3.0
• Look for the padlock symbol () in the bottom right of the browser window.
• Internet Engineering Task Force (IETF) developed its successor, Transport Layer Security (TLS). TLS is now almost universal although it is generally stiff referred to as SSL.
• SSL/TLS can use 40-bit encryption. Another version uses 128-bit encryption (now standard in US and Canada).
• Protocols can be made more secure by running them over SSL, e.g. running HTTP over SSL gives HTTPS, which encrypts and decrypts information sent to/from the browser.
• SSL/TLS is always used in conjunction with Digital Certificates - before starting an SSL-encrypted session, both communicating parties must have established a digital certificate.

• These prove the identity of an individual or company in an Internet communication.
• Issued and verified by trusted organizations only (the biggest is Verisign) - otherwise they would be useless!
• They are used in conjunction with encryption, simply to avoid fraudulent copying of the certificates.

The standard for digital certificates is X.509 consisting of:

• Name, company, address of the client.
• Public key of the certificate.
• Certificate details (issuing authority together with its digital signature, serial number, date of expiry).

Creation of a Digital Certificate:

1. A company issues a digital certificate request to a Certificate Authority.
2. The Certificate Authority may verify the credentials of the requesting company before issuing the certificate, by means of a certificate server.
3. The server always possesses the certificate and sends it to a client beginning an encrypted session.
4. The client can examine the certificate with a list of them that came installed in its browser.

Certificates expire after a set lifetime oc can be revoked, suspended. They can also be renewed A Certification Revocation List (CRL) lists all certificates that are no longer valid, can be downloaded and checked by users using Online Certificate Status Protocol (OCSP).

Registration authority - part of the CA. It can verify certificates but not issue them. It is used if the CA is under heavy pressure.

Public Key Infrastructure (PKI) - certificate authorities that also manage public encryption.

Once a client and a server are SSL-enabled, the client and server must negotiate a connection by using a handshake. In this handshake, both parties authenticate each other and agree on a type of encryption algorithm to be used (RSA, DSA etc.) This encryption is used to encrypt the session key which is shared between server and client.

Firewalls

Security barriers controlling the flow of information into and out of computer systems.

• Can block unsuitable web sites or the entire WWW (by blocking port 80).
• Prevents outsiders from accessing files on your system.
• Do not ensure data integrity as they do not encrypt or authenticate data.

Desktop firewall systems - found on individual workstations.

• Many operating systems come with firewall built in, though often disabled by default, as in the case of Windows XP.
• Unix and Linux systems have applications to block connections: iptables on newer systems, ipchains on older systems.
• Some firewalls allow
  • Logging of when connections were made, from where etc.
  • Blocking protocols. You can block various protocols. Blocking protocols such as Internet Messaging Control Protocol. Blocking ICMP is common as hackers often use this protocol for Denial of Service attacks. However, trouble-shooters often use this protocol to test whether a computer can communicate over a network.

Desktop firewalls can be configured

• Default open - allows traffic unless specifically forbidden.
• Default closed - blocks traffic unless specifically allowed.

Malware

Malicious software arriving on computer systems secretly with the specific purpose of harming the computer system and spreading to other systems.

Viruses

These assume control of system functions to damage/destroy data and ensure copies of itself are transmitted to other systems. They can

• display harmless messages on the screen,
• fill all available memory, effectively disabling the computer system,
• corrupt or destroy data files,
• erase the contents of the entire hard disk.

Boot sector virus	Hides in the initial sector of a disk used only when the operating system is loaded from the disk ("booting up"). If a hard disk is infected, the virus activates whenever the computer switches on.
Bomb	Virus programmed to activate when a specific event happens, often a specific date or anniversary.
Cluster virus	Infects the filing system of a disk, and runs when an infected program on the disk is run.
Macro virus	Hides in macro programs attached to files such as Word or Excel files. Activates if file is opened (unless the user's Word/Excel blocks macros).
File-infecting virus	Infects program files on a disk. Activates when the infected program is run.
Stealth virus	Hides in memory and makes conceals changes it makes to files, by redirecting hard disc requests and manipulating directory structures, so that the Operating system cannot detect it.
Polymorphic virus	contains code so that it runs differently every time, to fool anti-virus programs that look for patterns of virus behaviour.
Retro	specifically attacks antivirus software.

Viruses are typically caught:

• from infected floppy disks
• by opening infected attachments to E-mails
• by downloading an infected file from the Internet
• by opening a document infected with a macro virus

To minimise the risk of viruses:

• Avoid all suspect sources of programs or other files.
• Do not open attachments unless they come from a reliable source. If in doubt, contact the sender.
• Use antivirus software - AND KEEP IT UP TO DATE!
• Make regular back-up copies of data!
• Make sure you have a recovery/boot disk that you know is clean.
• Educate all users about virus transmission.

If a virus strikes,

• Switch off the machine immediately.
• Boot it up from a clean system/recovery disk.
• Use antivirus software to clean your hard disk.
• Track down copies of infected files and clean/delete them.

Worms

A self-replicating program spreading across networks that consumes resources such as memory, effectively disabling systems. Unlike viruses, worms do not alter files.

Trojan Horses

A program that appears to be harmless (often posing as a malware removal program!), but performs some malicious function when activated.

Illicit server

This installs hidden software ("server code") on client systems to allow a remote user to monitor or take control of the system without the client's consent.

Spyware

Also known as "adware". This software is secretly placed on a user's system and relays information about browsing habits etc. to a remote system. Spyware can

• monitor key strokes,
• read cookies,
• scan files,
• automatically install other spyware etc.

Spyware can be blocked/removed by anti-spyware programs. These work by having lists of known spyware and by checking systems for unusual activity.

Hosted by www.Geocities.ws