Computer Security

Computersecurity

Prof. dr. Frederik Questier - Vrije Universiteit Brussel

Workshop for Lib@web 2014 - International Training Program @ University of AntwerpManagement of Electronic Information and Digital Libraries

This presentation can be found athttp://questier.com

http://www.slideshare.net/Frederik_Questier

Main objectivesof computer security

➢ Confidentiality

➢ of data (secrecy)➢ of persons (privacy)➢ access only by authorized parties

➢ Integrity

➢ data only correctly modified or deleted by authorized parties

➢ Availability

➢ correctly accessible in a timely manner➢ the failure to meet this goal is called a denial of service

Student assignment:

security

➢ Congratulations!➢ You are elected member of the newly established

computer and data security team in your institution.

➢ Make a list of all possible risks that can have an impact on the security and stability of your data and internal and external IT services.

➢ Make a list of recommendations to lower the risks.

What can go wrong?Nature

➢ lightning strike➢ fire➢ flood➢ heat wave – cold wave➢ storm weather, hurricane➢ earthquake➢ tsunami➢ volcano eruption➢ electro magnetic pulse from the sun➢ disease of key employees

What can go wrong?Evil actions by people

➢ break in (hackers - crackers)➢ social engineering

➢ phishing➢ (identity) theft➢ vandalism➢ unhappy employees

➢ sabotage (time bomb)➢ cyber attack, e.g. (Distributed) Denial of Service➢ terrorism➢ war

➢ nuclear bomb

What can go wrong?Malware (malicious software)

➢ virus➢ worm➢ trojan horse➢ rootkit

➢ spyware➢ ransomware

➢ keylogger➢ network sniffer➢ back door➢ dialer

What can go wrong?Infrastructure or services problems

➢ Failure of➢ software (bugs)➢ hardware➢ electricity

➢ power outage or power surge➢ network (cable cut – saturation)➢ airconditioning➢ water pipes –> leak➢ system upgrades➢ service providers (e.g. cloud)

➢ Overload of CPU, memory, storage, network (spam)

What can go wrong?Human errors

➢ Weak security➢ Loss of laptops, smartphones, USB-sticks, …➢ No encryption➢ Passwords leaks or cracks➢ Computer console left unlocked

➢ Misunderstanding computer interface or other mistakes➢ Deleting data➢ Corrupting data

➢ Confiscation of machines

Tools for computer security

Tools for confidentialityOverview

➢ Authorization - Access policies - access control

➢ Authentication – identification

➢ Passwords➢ …

➢ Encryption

➢ Virtual private networking

➢ Auditing – logging

➢ ...

Tools for integrityOverview

➢ Backups

➢ Checksums

➢ Antivirus

➢ ...

Tools for availabilityOverview

➢ Disaster recovery planning

➢ Physical protections

➢ Anti-theft➢ Uninterruptible Power Supply

➢ Redundancies

➢ Intrusion-detection systems

➢ Antivirus software

➢ Firewall

➢ ...

TOOLS FOR CONFIDENTIALITY

Passwords

➢ Don't share them

➢ Not even with computer administrators

➢ Don't write them down

➢ Don't reuse them among different sites

➢ Change them often

➢ Select wise:

➢ Easy to remember➢ Hard to guess (resistant to dictionary attacks)

➢ Password length➢ Large set of characters (caps, lower case, numbers, symbols)

Some notorious password leaks

➢ 2014: 5M Gmail passwords

➢ 2013: 38M Adobe passwords (and source code)

➢ 2013: 250K Twitter passwords

➢ 2012: 12M Apple User IDs stolen by FBI, 1M leaked

➢ 2012: 6M LinkedIn passwords

➢ 2012: 450K plaintext Yahoo passwords

➢ 2012: 1.5M plaintext Youporn passwords

➢ 2009: 10K MS Hotmail, MSN and Live passwords

Johannes Weber, http://blog.webernetz.net/2013/07/30/password-strengthentropy-characters-vs-words/

Biometric identification

➢ Finger print

➢ Voice print

➢ Iris scan

➢ Retinal scan

➢ Convenient

➢ Relative safe

➢ But...

Danger ofbiometric identification?

Danger ofbiometric identification?

➢ You can't change your biometric password once it got leaked

➢ You can't legally refuse to give it, unlike a password (US fifth amendment)

Lock your screen when you leave

Security issues in communication

PrivacyPrivacy

IntegrityIntegrity

AuthenticationAuthentication

Non-repudiationNon-repudiation

Interception Spoofing

Modification Proof of parties involved

Cryptography = secret writing

Cipher

algorithm for performing encryption or decryption➢ Example: Caesar cipher

Great if we can exchange

our messages encrypted!

But how can we safely

exchange our keys?

Symmetric encryptionSender and receiver must both know the same secret key

How to exchange that key over distance???

Asymmetric encryptionSender only needs to know the public key of receiver!

Public key encryptionThe private key can unlock (decrypt)

what is locked (encrypted) with the public key

Public key encryptionCreation of keys

Man-in-the-middle attack

➢ How can Bob know

that Alice's key is really Alice's key

(and not Mallory's)?

Digital certificates

Version #Serial #

Signature AlgorithmIssuer Name

Validity PeriodSubject Name

Subject Public KeyIssuer Unique ID

Subject Unique IDExtensions

Digital Signature

HTTPS SSL exchange

➢ CAcert.org is a community-driven certificate authority that issues free public key certificates to the public (unlike other certificate authorities which are commercial and sell certificates).

➢ CAcert has over 200,000 verified users.

➢ These certificates can be used to digitally sign and encrypt email, authenticate and authorize users connecting to websites and secure data transmission over the Internet.

Web of trustKeysigning parties

Avoid non-encrypted protocols!

➢ Encrypted protocols➢ HTTPS➢ SFTP➢ SSH➢ TOR➢ VPN➢ WEP

(Wired Equivalent Protocol. Weak!)

➢ WPA - WPA2Wi-Fi Protected Access

➢ Non-encrypted protocols➢ HTTP➢ FTP➢ TELNET➢ BitTorrent

Full disk encryption

Full disk encryption

Android encryption

Virtual drive in file container

Encrypted file

container.txt

Mountable as virtual drive

/media/encrypted-disk

/Volumes/encrypted-disk

E:

Virtual Private Networksextends a private (hospital) network across a public (internet) network

encrypted to protect against network sniffing

Internet use through a VPN provider

Sarah A. Downey, http://www.abine.com/blog/2012/petraeuss-emails-werent-private-and-neither-are-yours/

FirewallPrivate versus Demilitarized zone

Private browsing

Task: check http://donttrack.us/

= The Onion RouterFree Open Source software for anonymity network

➢ Bitcoin = distributed peer-to-peer crypto-currency

➢ Log of chain of digitally-signed transactions to prevent double spending

Edward Snowden:

“Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”

You can't trust softwareif its source code is hidden

➢ From the European Parliament investigation into the Echelon system (05/18/2001):

“If security is to be taken seriously, only those operating systems should be used whose source code has been published and checked, since only then can it be determined with certainty what happens to the data.”

➢ Cryptographer, computer security expert Bruce Schneier:

“Secrecy and security aren't the same, even though it may seem that way. Only bad security relies on secrecy; good security works even if all the details of it are public."

“If researchers don’t go public, things don’t get fixed. Companies don't see it as a security problem; they see it as a PR problem.”

“Demand open source code for anything related to security”

The Borland Interbase example

➢ 1992-1994: Borland inserted intentional back door into Interbase (closed source database server) allowing local or remote users root access to the machine

➢ 07/2000: Borland releases source code (→ Firebird)

➢ 12/2000: Back door is discovered

Be aware of phishing attacks!

TOOLS FOR INTEGRITY

Make backups!Example: centralized over network

Backups

➢ Use off-site data protection = vaulting● e.g. remote backup (compression, encryption!)

➢ First time and sometimes: full backup➢ Most often: only incremental backup➢ Use a good data retention scheme

➢ e.g. 7 daily, 4 weekly, 12 monthly, all yearly backups➢ Reflect about your time for full restore➢ Test the restore procedure!

➢ “80% of backups fail to restore”

Error detection - Checksum - cryptographic hashe.g. CRC32 (cyclic redundancy check)

MD5 (message digest)SHA-3 (Secure Hash Algorithm)

Scan for malware!

Install software from trusted sources!(avoid if possible P2P or web downloads)

Apply software updates and upgrades!

For import documentssave daily new versions as:

Thesis20131030.odtThesis20131031.odtThesis20131101.odt

...

TOOLS FOR AVAILABILITY

Prepare for disasters!Business continuity planning

= how to stay in business in the event of disaster?

➢ Disaster recovery

● Preventive measures● Detective measures● Corrective measures

Uninterruptible Power SupplyUPS

1)Flywheel

2)Diesel generators

3)Batteries (UPS)

fault tolerance

high availability

redundancy

fail over

RAID: Redundant Arrayof Independent Disks

DDoSDistributed Denial of Service

Questions? Thanks!

Questier.com

Frederik AT Questier.com

www.linkedin.com/in/fquestie

www.diigo.com/user/frederikquestier

www.slideshare.net/Frederik_Questier

Credits➢ Internet Archive, Copyright Bibliotheca Alexandrina, International School of

Information Science (ISIS), http://www.bibalex.org/isis/large/000.jpg

➢ Password Strength, Creative Commons BY-NC http://xkcd.com/936/

➢ Security, Creative Commons BY-NC http://xkcd.com/538/

➢ Zimmermann Telegram, 1917, no known copyright restrictions

➢ Assymetric and symmetric encryption by Jeremy Stretch, http://packetlife.net/blog/2010/nov/23/symmetric-asymmetric-encryption-hashing/

➢ Orange blue public key cryptography, Creative Commons CC0 by Bananenfalter

➢ HTTPS SSL Exchange by Robb Perry, http://coding.smashingmagazine.com/2012/05/17/backpack-algorithms-and-public-key-cryptography-made-easy/

➢ Bitcoin logo, Public Domain by bitboy

➢ Bitcoin Transaction Visual, Creative Commons CC0 by Graingert

➢ Social Icons by Iconshock http://www.iconshock.com/social-icons/

This presentation was madewith 100% Free Software

No animals were harmed