Computer security Prof. dr. Frederik Questier - Vrije Universiteit Brussel Workshop for Lib@web 2014 - International Training Program @ University of Antwerp Management of Electronic Information and Digital Libraries
Jan 15, 2015
Computersecurity
Prof. dr. Frederik Questier - Vrije Universiteit Brussel
Workshop for Lib@web 2014 - International Training Program @ University of AntwerpManagement of Electronic Information and Digital Libraries
This presentation can be found athttp://questier.com
http://www.slideshare.net/Frederik_Questier
Main objectivesof computer security
➢ Confidentiality
➢ of data (secrecy)➢ of persons (privacy)➢ access only by authorized parties
➢ Integrity
➢ data only correctly modified or deleted by authorized parties
➢ Availability
➢ correctly accessible in a timely manner➢ the failure to meet this goal is called a denial of service
Student assignment:
security
➢ Congratulations!➢ You are elected member of the newly established
computer and data security team in your institution.
➢ Make a list of all possible risks that can have an impact on the security and stability of your data and internal and external IT services.
➢ Make a list of recommendations to lower the risks.
What can go wrong?Nature
➢ lightning strike➢ fire➢ flood➢ heat wave – cold wave➢ storm weather, hurricane➢ earthquake➢ tsunami➢ volcano eruption➢ electro magnetic pulse from the sun➢ disease of key employees
What can go wrong?Evil actions by people
➢ break in (hackers - crackers)➢ social engineering
➢ phishing➢ (identity) theft➢ vandalism➢ unhappy employees
➢ sabotage (time bomb)➢ cyber attack, e.g. (Distributed) Denial of Service➢ terrorism➢ war
➢ nuclear bomb
What can go wrong?Malware (malicious software)
➢ virus➢ worm➢ trojan horse➢ rootkit
➢ spyware➢ ransomware
➢ keylogger➢ network sniffer➢ back door➢ dialer
What can go wrong?Infrastructure or services problems
➢ Failure of➢ software (bugs)➢ hardware➢ electricity
➢ power outage or power surge➢ network (cable cut – saturation)➢ airconditioning➢ water pipes –> leak➢ system upgrades➢ service providers (e.g. cloud)
➢ Overload of CPU, memory, storage, network (spam)
What can go wrong?Human errors
➢ Weak security➢ Loss of laptops, smartphones, USB-sticks, …➢ No encryption➢ Passwords leaks or cracks➢ Computer console left unlocked
➢ Misunderstanding computer interface or other mistakes➢ Deleting data➢ Corrupting data
➢ Confiscation of machines
Tools for computer security
Tools for confidentialityOverview
➢ Authorization - Access policies - access control
➢ Authentication – identification
➢ Passwords➢ …
➢ Encryption
➢ Virtual private networking
➢ Auditing – logging
➢ ...
Tools for integrityOverview
➢ Backups
➢ Checksums
➢ Antivirus
➢ ...
Tools for availabilityOverview
➢ Disaster recovery planning
➢ Physical protections
➢ Anti-theft➢ Uninterruptible Power Supply
➢ Redundancies
➢ Intrusion-detection systems
➢ Antivirus software
➢ Firewall
➢ ...
TOOLS FOR CONFIDENTIALITY
Passwords
➢ Don't share them
➢ Not even with computer administrators
➢ Don't write them down
➢ Don't reuse them among different sites
➢ Change them often
➢ Select wise:
➢ Easy to remember➢ Hard to guess (resistant to dictionary attacks)
➢ Password length➢ Large set of characters (caps, lower case, numbers, symbols)
Some notorious password leaks
➢ 2014: 5M Gmail passwords
➢ 2013: 38M Adobe passwords (and source code)
➢ 2013: 250K Twitter passwords
➢ 2012: 12M Apple User IDs stolen by FBI, 1M leaked
➢ 2012: 6M LinkedIn passwords
➢ 2012: 450K plaintext Yahoo passwords
➢ 2012: 1.5M plaintext Youporn passwords
➢ 2009: 10K MS Hotmail, MSN and Live passwords
Johannes Weber, http://blog.webernetz.net/2013/07/30/password-strengthentropy-characters-vs-words/
Biometric identification
➢ Finger print
➢ Voice print
➢ Iris scan
➢ Retinal scan
➢ Convenient
➢ Relative safe
➢ But...
Danger ofbiometric identification?
Danger ofbiometric identification?
➢ You can't change your biometric password once it got leaked
➢ You can't legally refuse to give it, unlike a password (US fifth amendment)
Lock your screen when you leave
Security issues in communication
PrivacyPrivacy
IntegrityIntegrity
AuthenticationAuthentication
Non-repudiationNon-repudiation
Interception Spoofing
Modification Proof of parties involved
Cryptography = secret writing
Cipher
algorithm for performing encryption or decryption➢ Example: Caesar cipher
Great if we can exchange
our messages encrypted!
But how can we safely
exchange our keys?
Symmetric encryptionSender and receiver must both know the same secret key
How to exchange that key over distance???
Asymmetric encryptionSender only needs to know the public key of receiver!
Public key encryptionThe private key can unlock (decrypt)
what is locked (encrypted) with the public key
Public key encryptionCreation of keys
Man-in-the-middle attack
➢ How can Bob know
that Alice's key is really Alice's key
(and not Mallory's)?
Digital certificates
Version #Serial #
Signature AlgorithmIssuer Name
Validity PeriodSubject Name
Subject Public KeyIssuer Unique ID
Subject Unique IDExtensions
Digital Signature
HTTPS SSL exchange
➢ CAcert.org is a community-driven certificate authority that issues free public key certificates to the public (unlike other certificate authorities which are commercial and sell certificates).
➢ CAcert has over 200,000 verified users.
➢ These certificates can be used to digitally sign and encrypt email, authenticate and authorize users connecting to websites and secure data transmission over the Internet.
Web of trustKeysigning parties
Avoid non-encrypted protocols!
➢ Encrypted protocols➢ HTTPS➢ SFTP➢ SSH➢ TOR➢ VPN➢ WEP
(Wired Equivalent Protocol. Weak!)
➢ WPA - WPA2Wi-Fi Protected Access
➢ Non-encrypted protocols➢ HTTP➢ FTP➢ TELNET➢ BitTorrent
Full disk encryption
Full disk encryption
Android encryption
Virtual drive in file container
Encrypted file
container.txt
Mountable as virtual drive
/media/encrypted-disk
/Volumes/encrypted-disk
E:
Virtual Private Networksextends a private (hospital) network across a public (internet) network
encrypted to protect against network sniffing
Internet use through a VPN provider
Sarah A. Downey, http://www.abine.com/blog/2012/petraeuss-emails-werent-private-and-neither-are-yours/
FirewallPrivate versus Demilitarized zone
Private browsing
Task: check http://donttrack.us/
= The Onion RouterFree Open Source software for anonymity network
➢ Bitcoin = distributed peer-to-peer crypto-currency
➢ Log of chain of digitally-signed transactions to prevent double spending
Edward Snowden:
“Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”
You can't trust softwareif its source code is hidden
➢ From the European Parliament investigation into the Echelon system (05/18/2001):
“If security is to be taken seriously, only those operating systems should be used whose source code has been published and checked, since only then can it be determined with certainty what happens to the data.”
➢ Cryptographer, computer security expert Bruce Schneier:
“Secrecy and security aren't the same, even though it may seem that way. Only bad security relies on secrecy; good security works even if all the details of it are public."
“If researchers don’t go public, things don’t get fixed. Companies don't see it as a security problem; they see it as a PR problem.”
“Demand open source code for anything related to security”
The Borland Interbase example
➢ 1992-1994: Borland inserted intentional back door into Interbase (closed source database server) allowing local or remote users root access to the machine
➢ 07/2000: Borland releases source code (→ Firebird)
➢ 12/2000: Back door is discovered
Be aware of phishing attacks!
TOOLS FOR INTEGRITY
Make backups!Example: centralized over network
Backups
➢ Use off-site data protection = vaulting● e.g. remote backup (compression, encryption!)
➢ First time and sometimes: full backup➢ Most often: only incremental backup➢ Use a good data retention scheme
➢ e.g. 7 daily, 4 weekly, 12 monthly, all yearly backups➢ Reflect about your time for full restore➢ Test the restore procedure!
➢ “80% of backups fail to restore”
Error detection - Checksum - cryptographic hashe.g. CRC32 (cyclic redundancy check)
MD5 (message digest)SHA-3 (Secure Hash Algorithm)
Scan for malware!
Install software from trusted sources!(avoid if possible P2P or web downloads)
Apply software updates and upgrades!
For import documentssave daily new versions as:
Thesis20131030.odtThesis20131031.odtThesis20131101.odt
...
TOOLS FOR AVAILABILITY
Prepare for disasters!Business continuity planning
= how to stay in business in the event of disaster?
➢ Disaster recovery
● Preventive measures● Detective measures● Corrective measures
Uninterruptible Power SupplyUPS
1)Flywheel
2)Diesel generators
3)Batteries (UPS)
fault tolerance
high availability
redundancy
fail over
RAID: Redundant Arrayof Independent Disks
DDoSDistributed Denial of Service
Questions? Thanks!
Questier.com
Frederik AT Questier.com
www.linkedin.com/in/fquestie
www.diigo.com/user/frederikquestier
www.slideshare.net/Frederik_Questier
Credits➢ Internet Archive, Copyright Bibliotheca Alexandrina, International School of
Information Science (ISIS), http://www.bibalex.org/isis/large/000.jpg
➢ Password Strength, Creative Commons BY-NC http://xkcd.com/936/
➢ Security, Creative Commons BY-NC http://xkcd.com/538/
➢ Zimmermann Telegram, 1917, no known copyright restrictions
➢ Assymetric and symmetric encryption by Jeremy Stretch, http://packetlife.net/blog/2010/nov/23/symmetric-asymmetric-encryption-hashing/
➢ Orange blue public key cryptography, Creative Commons CC0 by Bananenfalter
➢ HTTPS SSL Exchange by Robb Perry, http://coding.smashingmagazine.com/2012/05/17/backpack-algorithms-and-public-key-cryptography-made-easy/
➢ Bitcoin logo, Public Domain by bitboy
➢ Bitcoin Transaction Visual, Creative Commons CC0 by Graingert
➢ Social Icons by Iconshock http://www.iconshock.com/social-icons/
This presentation was madewith 100% Free Software
No animals were harmed