1 THE STRATEGIES AND METHODOLOGIES OF COMPUTER SECURITY OFTEN DIFFER FROM MOST OTHER COMPUTER TECHNOLOGIES
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
THE STRATEGIES AND METHODOLOGIES OF COMPUTER SECURITY OFTEN DIFFER FROM MOST OTHER COMPUTER TECHNOLOGIES
2
CHAPTER ONE
1.1 INTRODUCTION
Computer security is a branch of computer technology known as
information security that is applied to computers and networks. The
objective of computer security includes protection of information and
property from theft, corruption, or natural disaster, while allowing the
information and property to remain accessible and productive to its
intended users. The term computer system security means the
collective processes and mechanisms by which sensitive and valuable
information and services are protected from publication, tampering or
collapse by unauthorized activities or untrustworthy individuals and
unplanned events respectively. The strategies and methodologies of
computer security often differ from most other computer technologies
because of its somewhat elusive objective of preventing unwanted
computer instead of enabling wanted computer behavior. These are
four(4) approaches to security in computing, sometimes a combination
of approaches is valid:
Trust all the software to abide by a security policy but the
software is not trustworthy (this is computer insecurity).
3
Trust all the software to abide by a security policy and the
software is validated as trustworthy (by tedious branch and path
analysis for example).
Trust no software but enforce a security policy with
mechanisms that are not trustworthy (again this is computer
insecurity).
Trust no software but enforce a security policy with trustworthy
hardware mechanism.
1.2 OBJECTIVE OF THE STUDY
The aim of this investigate work is to fetch to light underlying concept of computer security and unrestricted conviction.
The Objectives Of This Study Are:
To focus on the security of the computer components.
To analyze the various computer crimes and frauds that is
common to the computer technology.
To further expatiate about the computer hacker and crackers.
To evaluate the effect of computer security and unrestricted
trust.
1.4 SCOPE AND DATA LIMITATION
This project is limited to the determination of the Computer Security
and Unrestricted Trust. It however shows that there are certain
additions that are beyond the scope of this project. It is intended to
4
give a better insight to the topic under consideration. One of the
constraints is to rely on the information supplied by computer security
and unrestricted trust, which is the focus of the studies. This is
because it may contain a lot of lapses. It is equally observed that a lot
of information considered by computer secret keys are vital and
confidential to manage computer security to be withheld. This may
affect the accuracy of result.
1.5 PROBLEM ENCOUNTERED
During the process of carrying out the project work ,the
following problems were encountered:
1. Time dynamic
2. Financial quandary
3. Insufficient resources
TIME DYNAMIC: Much time and energy were required in
carrying out the project
FINANCIAL PROBLEM: Money was also spent at cybercafé
in getting more information from the internet and also
transportation, there were inadequate information and lost of
data and information through piracy.
INADEQUATE MATERIALS: This is a great challenge to
me during the carrying out of the research work.
5
1.5.1 DEFINITION OF THE FOLLOWING TERM:
1. COMPUTER
2. TECHNOLOGY
3. INTERNET
4. NETWORKING
5. SECURITY
6. DATA
7. ENCRYPTION
COMPUTER
A computer is a general purpose device which can be programmed to
carry out a finite set of arithmetic or logical operations. Since a
sequence of operations can be readily changed, the computer can solve
more than one kind of problem. The essential point of a computer is to
implement an idea, the terms of which are satisfied by Alan Turing’s
Universal Turing Machine.
TECHNOLOGY
Technology is the making, modification, usage, applied activity or
behavior, and knowledge of tools, machines, techniques, crafts,
systems, methods of organization or environmental rearrangements in
order to solve a problem, improve a preexisting solution to a problem,
achieve a goal or perform a specific function. It can also refer to the
collection of such tools, machinery, modifications, arrangements and
procedures.
Examples of Technology are:
6
Astronomy, airplanes, telephones, electric lights, and motorized
vehicles are all examples of technology, which is the application of
scientific discoveries to physical use.
Computers, the internet and cellular phones are examples in the field
of electronics, which is the most widely recognized technological
field. Other examples include Microwave ovens, DVD players,
ipods, and remote controls for video and audio devices.
INTERNET
The Internet is a global system of interconnected computer networks
that use the standard Internet protocol suite (often called TCP/IP,
although not all applications use TCP) to serve billions of users
worldwide. It is a network of networks that consists of millions of
private, public, academic, business, and government networks, of local
to global scope, that are linked by a broad array of electronic, wireless
and optical networking technologies. The Internet carries an extensive
range of information resources and services, such as the inter-linked
hypertext documents of the World Wide Web (WWW) and the
infrastructure to support email. Examples of Internet are:
Email:- is an example of internet services. It is used as a medium to
transfer information and data
NETWORKING
A networking is a series of points of nodes interconnected by
communication paths. Networks can interconnect with other networks
and contain sub-networks.
7
The most common topology or general configurations of networks
includes the bus, star, token ring, and mesh topologies. Networks can
also be characterized in terms of spatial distance as local area
networks (LANs), Metropolitan Area Networks (MANs), and Wide
Area Networks (WANs)..
SECURITY
Is an information technology, security is the protection of information
assets through the use of technology, processes, and training.
In the computer industry, the term security or the phrase computer
security refers to techniques for ensuring that data stored in a
computer cannot be read or compromised by any individuals without
authorization.
DATA
In computing, data is information that has been translated into a form
that is more convenient to move or process. Relative to today’s
computers and transmission media, data is information converted into
binary digital form.
In telecommunication, data sometimes means digital-encoded
information to distinguish it from analog-encoded information such as
conventional telephone voice calls. In general, “analog” or voice
transmission required a dedicated continual connection for the
duration of a related series of transmissions. Data transmission can
often be sent with intermittent connections in packets that arrive in
piecemeal fashion.
8
“Generally and in science, data is a gathered body of facts”
ENCRYPTION
Is the process of transforming information (referred to as plaintext)
using an algorithm (called a cipher) to make it unreadable to anyone
except those possessing special knowledge, usually referred to as a
key.
Encryption is a way to enhance the security of a message or file by
scrambling the contents so that it can be read only by someone who
has the right encryption key to unscramble it. For example, if you
purchase something from a website, the information for the
transaction (such as your address, phone number, and credit card
number) is usually encrypted to help keep it safe. Use encryption
when you want to strong level of protection for your information.
The Two Most Common Types Of Encryption Are:
1. Software Based Encryption
2. Hardware Based Encryption
Software Based Encryption:
This type of encryption will typically consist of a standard storage
device (Hard Drive, Flash Drive, Digital Media Card, etc.) and a
software program to facilitate the encryptions. For example, the
standard DiskGO Secure drive comes with a program called
CryptArchiver. This software allows the user to create an encrypted
“Vault” on the drive, with all files stored in the Vault area to be
encrypted in either 236-bit AES or 448-bit Blowfish algorithms. The
drawback to this type is encryption is that your system hardware
9
(CPU, RAM) is responsible for all the encryption tasks done during a
file transfer. This is compounded by the fact that USB itself relies on
your system hardware (CPU, RAM, and hard drive speeds) to
maintain reliable speeds. Because of this, you trade security for
performance. Data transfers made using this encryption method can
cause dramatically reduced speeds for files transfers. For example,
let’s say a flash drive can be copied to at an average minimum
of4MB/s. if you added software encryption to the mix, your transfer
speeds could drop to as low as 1MB/s for certain types of files.
Hardware Based Encryption:
The only significant difference with Hardware Based Encryption is
that all data intensive encryption tasks are done onboard the storage
device, rather than relying on system resources to do the work. With
this method of encryption, file transfer speeds will remain more stable
during the encryption process. Also, most hardware encrypted drives
are built with more robust materials and are typically highly resistant
to physical damage and are likely to be water resistant. The drawback
to this type of encryption is higher consumers. Hardware based
encryption of flash drives can sometimes be 2-3 times as expensive as
software based options.
10
CHAPTER TWO
2.1 LITERATURE REVIEW
A computer is a general purpose device which can be programmed to
carry out a finite set of arithmetic or logical operations. Since a
sequence of operations can be readily changed, the computer can solve
more than one kind of problem. The essential point of a computer is to
implement an idea, the terms of which are satisfied by Alan Turing’s
Universal Turing Machine.
Conventionally, a computer consists of at least one processing element
and some form of memory. The processing element carries out
arithmetic and logic operations, and a sequencing and control unit that
can change the order of operations based on stored information.
Peripheral devices allow information to be retrieved from an external
source, and the result of operations saved.
A computer’s processing unit executes a series of instructions that
make it read, manipulate and then store date. Conditional instructions
change the sequence of instructions as a function of the current state
of the machine or its environment.
In order to interact with such a machine, programmers and engineers
developed the concept of a user interface in order to accept input from
humans and return results for human consumption.
11
The first electronic digital computers were developed between 1940
and 1945 in the United Kingdom and United States. Originally, they
were the size of a large room, consuming as much power as several
hundred modern personal computers (PCs).
1. In this era mechanical analog computers were used for military
applications.
Modern computers based on integrated circuits are millions to
billions of times more capable than early machines, and occupy
a fraction of the space.
2. Simple computers are small enough to fit into mobile devices,
and mobile computers can be powered by small batteries.
Personal computers in their various forms are icons of the
Information Age and are what most people think as
“computers”. However, the embedded computers found in many
devices from Mp3 players to fighter aircraft and form toys to
industrial robots are the most numerous.
The Jacquard Loom was one of the first programmable devices.
12
2.1.1 History of Computing Hardware
The first use of the word “computer” was recorded in 1613, referring
to a person who carried out calculations, or computations, and the
word continued with the same meaning until the middle of the 20 th
century. From the end of the 19th century the word began to take on its
more familiar meaning, a machine that carries out computations.
2.1.2 Limited-function early computers
The history of the modern computer begins with two separate
technologies, automated calculation and programmability, but no
single device can be identified as the earliest computer, partly because
of the inconsistent application of that term. A few devices are worth
mentioning through, like some mechanical aids to computing, which
were very successful and survived for centuries until the advent of the
electronic calculator, like the Sumerian Abacus, designed around
2500BC of which a descendant won a speed competition against a
modern desk calculating machine in Japan in 1946, the slide rules,
invented in the 1620s, which were carried on five Apollo space
missions, including to the moon and arguably the astrolabe and the
Antikythera mechanism, an ancient astronomical computer built by
the Greeks around 80BC. The Greek mathematician Hero of
Alexandria (c. 10-70 AD) built a mechanical theater which performed
a play lasting 10 minutes and was operated by a complex system of
ropes and drums that might be considered to be a means of deciding
which parts of the mechanism performed which actions and when.
This is the essence of programmability. Around the end of the 10 th
13
century, the French monk Gerbert d’Aurillac brought back from
Spain the drawings of a machine invented by the moors that answered
either Yes or No to the questions it was asked. Again in the 13th
century, the monks Albertus Magnus and Roger Bacon built talking
androids without any further development (Albertus Magnus
complained that he had wasted forty years of his life when Thomas
Aquinas, terrified by the machine, destroyed it).
In 1642, the Renaissance saw the invention of the mechanical
calculator, a device that could perform all four arithmetic operations
without relying on human intelligence. The mechanical calculator was
at the root of the development of computer in two separate ways.
Initially, it was in trying to develop more powerful and more flexible
calculators that the computer was first theorized by Charles Babbage
and then developed. Secondly, development of a low cost electronic
calculator, successor to the mechanical calculator, resulted in the
development by Intel of the first commercially available
Microprocessor integrated circuit.
2.1.3 First General-Purpose Computers
In 1801, Joseph Marie Jacquard made an improvement to the
Textile Loom by introducing a series of Punched Paper Cards as a
template which allowed his loom to weave intricate patterns
automatically. The resulting Jacquard patterns automatically. The
resulting Jacquard loom was an important step in the development of
14
computers because the use of punched cards to define woven patterns
can be viewed as an early, albeit limited, form of programmability.
2.1.4 The Zuse Z3 COMPUTER, 1941,
considered the world’s first working programmable, fully
automatic computing machine.
It was the fusion of automatic calculation with programmability that
produced the first recognizable computers. In 1837, Charles Babbage
was the first to conceptualize and design a fully programmable
mechanical computer, his analytical engine limited finances and
Babbage’s inability to resist tinkering eith the design meant that the
device was never completed-nevertheless his son, Henry Babbage,
completed a simplified version of the analytical engine’s computing
unit (the mill) in 1888. he gave a successful demonstration of its use in
computing tables in 1906. this machine was given to the Science
museum in South Kensington in 1910.
In the late 1880s, Herman Hollerith invented the recording of data on
a machine-readable medium. Earlier uses of machine-readable media
had been for control, not data. “After some initial trials with paper
tape, he settled on punched cards. To process these punched cards he
invented the tabulator, and the Keypunch machines. These three
inventions were the foundation of the modern information processing
of punched cards was performed for the 1890 United States Census by
15
Hollerith’s company, which later became the core of IBM. By the end
of the 19th century a number of ideas and technologies, that would
later prove useful in the realization of practical computers, had begun
to appear: Boolean Algebra, the vacuum tube (Thermionic valve),
punched cards and tape, and the teleprinter.
During the first half of the 20th century, many scientific computing
needs were met be increasing sophisticated analog computers, which
used a direct mechanical or electrical model of the problem as a basis
for computation. However, these were not programmable and
generally lacked the versatility and accuracy of modern digital
computers.
Alan Turing is widely regarding as the father of modern computer
science. In 1936 Turing provided an influential formalization of the
concept of the algorithm and computation with the Turing Machine,
providing a blueprint for the electronic digital computer of his role in
the creation of the modern computer, Time magazine in naming
Turing one of the 100 most influential people of the 20th century,
states: “The fact remains that everyone who taps at a keyboard,
opening a spreadsheet or a word-processing program, is working on an
incarnation of a Turing machine.
2.1.5 The ENIAC COMPUTER
which became operational in 1946, is
considered to be the first general-purpose
electronic computer.
16
2.1.6 EDSAC COMPUTER
EDSAC COMPUTER was one of the first
computers to implement the stored-program
(Von Neumann) architecture.
2.1.7 The Atanasoff-Berry Computer (ABC)
was the world’s first electronic digital computer, albert not
programmable. Atanasoff is considered to be one of the fathers of the
computer. Conceived in 1937 by Lowa State College Physics
Professor John Atanasoff, and built with the assistance of graduate
student Clifford Berry, the machine was not programmable, being
designed only to solve systems of linear equations. The computer did
employ parallel computation. A 1973 court ruling in a patent dispute
found that the patent for the 1946 ENIAC computer derived from the
Atanasoff-Berry Computer.
The first program-controlled computer was invented by Konrad Zuse,
who built the Z3, an electromechanical computing machine, in 1941.
the first programmable electronic computer was the Colossus, built in
1943 by Tommy Flowers.
George Stibitz is internationally recognized as a father of the modern
digital computer. While working at Bell Labs in November 1937,
17
Stibitz invented and built a relay-based calculator he dubbed the
“Model K” (for “kitchen table”, on which he had assembled it), which
was the first to use binary circuits to perform an arithmetic operation.
Later models added greater sophistication including complex
arithmetic and programmability.
A series of steadily more powerful and flexible computing devices
was constructed in the 1930s and 1940s, gradually adding the key
features that are seen in modern computers. The use of digital
electronics (largely invented by Claude Shannon in 1937) and more
flexible programmability were vitally important steps, but defining
one point along this road as “the first digital electronic computer” is
difficult. Shannon 1940 Notable achievements include:
Konrad Zuse’s Electromechanical “Z machines”. The Z3
(1941) was the first working machine featuring binary
arithmetic, including floating point arithmetic and a measure of
programmability. In 1998 the Z3 was proved to be Turing
complete, therefore being the world’s first operational
computer.
The Non-Programmable Atanasoff-Berry computer
(commenced in 1937, completed in 1941) which used vacuum
tube based computation, binary numbers, and regenerative
capacitor memory. The use of regenerative memory allowed it
to be much more compact that its pears (being approximately
the size of a large desk or workbench), since intermediate
18
results could be stored and then feed back into the same set of
computation elements.
The Secret British Colossus Computer (1943), which had
limited programmability but demonstrated that a device using
thousands of tubes, could be reasonably reliable and
electronically reprogrammable. It was used for breaking
German wartime codes.
The Harvard Mark I (1944), a large-scale electromechanical
computer with limited programmability.
The U.S. Army’s Ballistic Research Laboratory ENIAC (1946),
which used decimal arithmetic and is sometimes called the first
general purpose electronic computer (since Konrad Zuse’s Z3
of 1941 used electromagnets instead of electronics). Initially,
however, ENIAC had an inflexible architecture which
essentially required rewiring to change its programming.
2.1.8 STORED-PROGRAM ARCHITECTURE
Several developers of ENIAC, recognizing its flaws, came up with a
fare more flexible and elegant design, which came to be known as the
“stored-program architecture” or Von Neumann Architecture. This
design was first formally described by John Von Neumann in the
paper First Draft of a Report on the EDVAC, distributed in 1945. A
number of projects to develop computers based on the stored-program
architecture commence around this time, the first of which was
19
completed 1948 at the University of Manchester in England, the
Manchester Small-Scale Experimental machine (SSEM or “Baby”).
The Electronic Delay Storage Automatic Calculator (EDSAC),
completed a year after the SSEM at Cambridge University, was the
first practical, non-experimental implementation of the stored-program
design and was put to use immediately for research work at the
university. Shortly thereafter, the machine original described by Von
Neumann’s paper-EDVAC-was completed but did not see full-time
use for an additional two years.
Nearly all modern computers implement some form of the stored-
program architecture, making it the single trait by which the word
“computer” is now defined. While the technologies used in computers
have change dramatically since the first electronic, general-purpose
computers of the 1940s, most still use the Von Neumann architecture.
2.1.9 Die of an Intel 80486DX2 Microprocessor
Beginning in the 1950s, Soviet scientists Sergei Sobolev and Kikolay
Brusentsove conducted research in ternary computers, device that
operated on a base three numbering system of -1,0 and 1 rather than
the conventional binary numbering system upon which most
computers are based. They designed the Setun, a functional ternary
computer, at Moscow State University. The device was put into
20
limited production in the Soviet Union, but supplanted by the more
common binary architecture.
Semiconductors and Microprocessors
Computers using vacuum tubes as their electronic elements were in
use throughout the 1950s, but by the 1960s had been largely replaced
by semiconductor transistor-based machines, which were smaller,
faster, and cheaper to produce, required less power, and were more
reliable. The first transistorized computer was demonstrated at the
University of Manchester in 1953. in the 1970s, integrated circuit
technology and the subsequent creation of microprocessors, such as
the Intel 4004, further decreased size and cost and further increased
speed and reliability of computers. By the late 1970s, many products
such as Video Recorders contained dedicated computers called
microcontrollers, and they started to appear as a replacement to
mechanical controls in domestic appliances such as washing
machines. The 1980s witnessed home computers and the now
ubiquitous personal computer. With the evolution of the Internet,
personal computers are becoming as common as the television and the
telephone in the household (citation needed).
Modern smart-phones are fully programmable computers in their own
right, and as of 2009 may well be the most common form of such
computers in existence (citation needed).
2.1.10SOCIAL ENGINEERING
In the context of security, is into performing actions or divulging
confidential information. While it is similar to a confidence trick or
21
simple fraud, it is typically trickery or deception for the purpose of
information gathering, fraud, or computer system access; in most
cases the attacker never comes face-to-face with the victims.
“Social engineering” as an act of psychological manipulation had
previously been associated with the social science, but its usage has
caught on among computer professionals.
2.2 TECHNIQUE OF SOCIAL SECURITY OF
ENGINEERING
All social engineering techniques are based on specific attributes of
human decision-making as cognitive biases, these biases sometimes
called “bugs in the human hardware,” are exploited in various
combinations to create attack techniques, some of which are listed and
explain here:
1. PRETEXTING also known (in the UK) as blagging,
2. DIVERSION THEFT
3. PHISHING
4. IVR OR PHONE PHISHING
5. BAITING
6. QUID PRO QUO (Quid Pro Quo Means Something For
Something)
7. TALIGATING Main Article: Piggybacking (Security)
8. COUNTER-MEASURES
9. OTHER TYPES
22
2.2.1 PRETEXTING also known (in the UK) as blagging,
Pretexting is the act of creating and using an invented scenario
(the pretext) to engage a targeted victim in a manner that increases the
chance the victim will divulge information or perform actions that
would be unlikely in ordinary circumstances. An elaborate lie, it most
often involve some prior research or setup and the use of this
information for impersonation (e.g., Date of Birth, Social Security
Number, Last Bill Amount) to establish legitimacy in the mind of the
target.
This technique can be used to trick a business into disclosing
customer information as well as by private investigators to obtain
telephone records, utility records, banking records and other
information directly from company service representatives. The
information can be used to establish even greater legitimacy under
tougher questioning with a manager, e.g., to make account changes,
get specific balances, etc.
Pretexting has been an observed law enforcement technique, under
the auspices of which, a law officer may leverage the threat of an
alleged infraction to detain a suspect for questioning and conduct
close inspection of a vehicle or premises.
Pretexting can also be used to impersonate co-workers, police, bank,
tax authorities, or insurance investigators-or any other individual who
could have perceived authority or right-to-know in the mind of the
targeted victim. The pretexter must simply prepare answers to
questions that might be asked by the victim. In some cases all that is
23
needed is a voice that sounds authoritative, an earnest tone, and an
ability to think on one’s feet.
2.2.2 DIVERSION THEFT
Diversion theft, also known as the “Corner Game” or “Round
the Corner Game”, Originated in the East End of London.
In summary, pastime theft in a “Con” exercised by professional
thieves, normally against a transport or courier company. The
objective is to persuade the person responsible for a legitimate
delivery that the consignment is requested elsewhere-hence, “round
the corner”.
With a load/consignment redirected, the thieves persuade the
driver to unload the consignment near to, or away from, the
consignee’s address, in the pretense that it is “going straight out” or
“urgently required somewhere else”.
The “Con” or deception has many distinct facets, which include
social engineering techniques to persuade legitimate administrative or
traffic personnel of a transport or courier company to issue
instructions to the driver to redirect the consignment or load.
Another variation of diversion theft is stationing a security van outside
a bank on Friday evening. Smartly dressed guards use the line “Night
safe’s out of order, Sir”. By this method shopkeepers etc. are gulled
24
into depositing their takings into the van. They do of course obtain a
receipt but later this turn out to be worthless. A similar technique was
many years ago to steal a Steinway grand piano from a radio studio in
London. “Come to overhaul the piano, guv” was the chat line.
2.2.3 PHISHING
Phishing is a technique of fraudulently obtaining private
information. Typically, the phished send an e-mail that appears to
come from a legitimate business-a bank, or credit card company-
requesting “verification” of information and warning of some dire
consequence if it is not provided. The e-mail usually contains a link to
a fraudulent web page that seems legitimate-with company logos and
content-and has a form requesting everything from a home address to
an ATM card’s PIN.
For example, 2003 saw the proliferation of a phishing scam in which
users receive e-mails supposedly from eBay claiming that the user’s
account was about to be suspended unless a link provided was clicked
to update a credit card (information that the genuine eBay already
had). Because it is relatively simple to make a Web-site resemble a
legitimate organization’s site by mimicking the HTML code, the scam
counted on people being contacted by eBay and subsequently, were
going to eBay’s site to update their account information. By
spamming large groups of people, the “Phisher” counted on the e-mail
being ready by a percentage of people who already had listed credit
card numbers with eBay legitimately, who might respond.
25
2.24 IVR OR PHONE PHISHING Main article: Vishing
This technique uses a rogue Interactive voice response (IVR)
system to recreate a legitimate-sounding copy of a bank or other
institution’ IVR system. The victim is prompted (typically via a
phishing e-mail) to call in the “bank” via (ideally toll free) number
provided in order to “verify” information. A typical system will reject
log-ins continually, ensuring the victim enters PINs or passwords
multiple time, often disclosing several distinct passwords. More
advanced systems transfer passwords. More advanced systems transfer
the victim to the attacker posing as a customer service agent for
further questioning.
One could even record the typical commands (“Press one to change
your password, press two to speak to customer service”…) and play
back the direction manually in real time, giving the appearance of
being an IVR without the expense.
Phone phishing is also called vishing.
2.25 BAITING
Baiting is like the real-world ‘Trojan Horse’ that uses physical media
and relies on the curiosity or greed of the victim.
In this attack, the attacker leaves a malware infected floppy disk, CD
ROM, or USB flash drive in a location sure to be found (bathroom,
26
elevator, sidewark, parking lot), gives it a legitimate looking and
curiosity-piquing label, and simply waits for the victim to use the
device.
For example, an attacker might create a disk featuring a corporate
logo, readily available from the target’s web site, and write “Execute
Salary Summary Q2 2012” on the front. The attacker would then leave
the disk on the floor of an elevator or somewhere in the lobby of the
targeted company. An unknowing employee might find it and
subsequently insert the disk into a computer to satisfy their curiosity,
or a good Samaritan might find it and turn it in to the company.
In either case as a consequence of merely inserting the disk into a
computer to see the contents, the user would unknowingly install
malware on it, likely giving an attacker unfettered access to the
victim’s PC and perhaps, the targeted company’s internal computer
network.
Unless computer controls block the infection, PCs set to “auto-run”
inserted media may be compromised as soon as a rogue disk in
inserted.
More attractive than memory, hostile devices can also be used. For
instance, a “lucky winner” is sent a free digital audio player that
actually compromises any computer it is plugged to. Technology
security company HBGray has sold such devices to the US
government.
27
2.26 QUID PRO QUO (Quid Pro Quo Means Something For
Something)
An attacker calls random numbers at a company claiming to be
calling back from technical support. Eventually they will hit
someone with a legitimate problem, grateful that someone is
calling back to help them. The attacker will “help: solve the
problem and in the process have the user type commands that
give the attacker access or launch malware.
In a 2003 information security survey, 90% of office workers
gave researches what they claimed was their password in
answer to a survey question in exchange for a cheap pen.
Similar surveys in later years obtained similar results using
chocolates and other cheap lures, although they made no
attempt to validate the passwords.
2.2.7 TALIGATING Main Article: Piggybacking (Security)
An attacker, seeking entry to a restricted area where access is by
unattended, electronic access control, e.g. by RFID card, simply walks
in behind a person who has legitimate access. Following common
courtesy, the legitimated person will usually hold the door open for
the attacker. The legitimate person may fail to ask for identification
for any several reasons, or may accept an assertion that the attacker
has forgotten or lost the appropriate identity token. The attacker many
also fake the action of presenting an identity token.
28
2.2.8 OTHER TYPES
Common confidence tricksters or fraudsters also could be considered
“social engineers” in the wider sense, in that they deliberately deceive
and manipulate people, exploiting human weaknesses to obtain
personal benefit. They may, for example, use social engineering
techniques as part of an IT fraud.
A very recent type of social engineering techniques include spoofing
or cracking IDs of people having popular e-mail IDs such as Yahoo!,
Gmail, Hotmail, etc. Among the many motivations for deception are:
Phishing credit-card account numbers and their passwords.
Cracking private e-mails and chat histories, and manipulating
them by using common editing techniques before using them to
extort money and creating distrust among individuals.
Cracking websites of companies or organizations and
destroying their reputation.
Computer virus hoaxes.
2.2.9 COUNTER-MEASURES
Organizations must, on an employee/personnel level, establish
frameworks of trust. (i.e. When/Where/Why/How should
sensitive information be handled?)
29
Organizations must identify which information is sensitive and
question its integrity in all forms (i.e., Social Engineering,
Building Security, Computer Security, etc.)
Organizations must establish security protocols for the people
who handle sensitive information. (i.e., Paper-Trails for
information disclosure and/or forensic crumbs).
Employees must be trained in security protocols relevant to
their position. (e.g., employees must identify people who steer
towards sensitive information.) (Also: in situations such as
taligaing, if a person’s identity cannot be verified, then
employees must be trained to politely refuse.)
An Organization’s framework must be tested periodically, and
these tests must be unannounced.
Insert a critical eye into any of the above steps: there is no
perfect solution for information integrity.
Dumpster Security by using a waste management service that
has dumpsters with locks on them, with keys to them limited
only to the waste management company and the cleaning staff.
Also making sure the dumpster is located in a place where it is
not out of view, and trying to access it will carry a risk to being
seen or caught or behind a locked gate or fence where the
person trespass before they can attempt to access the dumpster.
30
CHAPTER THREE
3.1 EFFECT OF COMPUTER SECURITY ON UNRESTRICTED TRUST
Social trust is necessary to the full enjoyment of the benefits of
computers. Security influences that are trust.
Many failures are public; they diminish trust globally, not just
locally. My security is related to your security; if your system falls to
hackers, it may give them a path to me and resources to be used
against me. The damage that is done to necessary public trust and
confidence by the publicity of our failures may be out of all proportion
to the direct damage that either of us suffers.
The security measures that are indicated to preserved public
trust my exceed those that are indicated by your use or mine. The
security achieved as a result of each of us making our own local
decisions based upon our own local situation may not be sufficient to
preserve public trust and confidence. If we are to enjoy the potential
benefits of this new technology, then we must ensure that its use is
sufficiently orderly and well-behaved to sustain that trust.
That we do trust computers is obvious. Some minimum level of
trust has been necessary to their acceptance and use. If you cannot
31
trust what the computer tells you, at least most of the time, then it has
no value. Some of that trust is possibly misplaced; it presumes a level
of perfection that is difficult to achieve and maintain in complex
systems.
That there is a fundamental undercurrent of mistrust is equally
obvious. The RISKS forum, moderated by Peter Neumann, gives loud
and, often, eloquent testimony to this mistrust.
Much of both the trust and mistrust of computers is independent
of their security. However, trust is influenced by security. Security
contributes to the necessary trust; but its absence and its failures lead
to the mistrust. This computer security, whether we like it or not, is a
social issue. It is global, not local. It is bigger than our systems. It is
related to those fundamental human values of cooperation and
collaboration.
3.2 THE COST OF SECURITY ON THE COMPUTER AND THE UNRESTRICTED TRUST.
32
We write, speak, and behave as though security were free, as
though it were an independent property that could be achieved without
diminishing any other desiderata. We speak as though its absence or
inadequacy were always a mistake; we want to know who is to blame
on the security of computer.
In the sense that good security is good design, this is true.
However, in another sense security is usually achieved at the expense
of some other desirable property of the system of the system. I learned
this that the user and designer is to see that the security of the system
are well guarantee and the cost of the design must be bore on the
designer for the flexibility of a system to all users and still say that it is
controlled or secure. Designers, implementors, and managers are
confronted with hard choice. Their decisions will never be risk free
and they will never please everyone without taking the control of the
security into an account.
3.3 SECURITY OF COMPUTER ON THE POPULATION SAMPLING.
We also speak as though the issue were the security of
individual system. I would like to suggest that public trust is more
33
influenced by the security of collections or the populations of a
system.
To date, most work in computer security has been done at the
atomic level. That is, it has been about making statements about
individual systems. We now have metrics with which to compare the
trust of two systems. We are starting to do work at the sub-atomic
level. That is, we can make statements about how components affect
the security of a system. We have not even begun to make statements
about the security of a population or network of systems.
A reader of “Computer at Risk” might be lead to conclude that
the problem can be readily dealt with simply by improving the
security of component systems. However, security is not a perfectly
compatible property. That is, it is not possible to bind two systems
closely enough to preserve their security. The level of security will
always be something less than that of the lesser of the two. In view of
this, the population of computer user will determine the level of
security it will take in order not to be allow to vulnerable such as
hacker, firewall, theft, eave, drops and so on.
3.4 SIMILARITY LEVEL OF COMPUTER SECURITY
When I connect two systems as peers, either dominating or
controlling the other, I assume that the level of security of the two is
approximately the same as that of the least secure of the two. Yet,
intuitively I suspect that the security of a large population of systems
is higher than that of the least trusted system, and lower than the most.
34
How do we make statements about populations? What is the
effect of increasing the security of members of the population? We
have no science, art, or mechanism for addressing such questions.
Neither do we have information to tell us whether the managers of one
system or network consider the security of a nearby system before
deciding to connect to it. Yet at the level of society, at the level of
values, at the level of social trust and social order, these are the
questions of interest. The security of single systems has little
relevance on itself rather than on multiple systems.
3.5 COMPUTER SECURITY TECHNOLOGY AND ITS COMMERCIAL EFFECTS.
There is a natural, or at least historical, contention between
freedom and order. Nowhere does it manifest itself more than in
computing. The authorities are frightened by the individual freedom
afforded by the computer, and all too ready to jump in and impose
order. Any disorder is taken as justification.
On the other hand, they are equally frightened by the idea of
good security in private hands. The National Security Agency is
resisting any use of cryptography by commerce because of the
potential impact on the cost of intelligence gathering. Likewise, the
FBI has recently tried to outlaw the use of the same technology
because of the potential for its exploitation by criminals.
In the short run, the level of security in the population of
computer is a given. That is, the population is so large that it is not
possible to change the security except at the margin. However, the
National Academy of Science report, “Computer at Risk,” would have
us believe otherwise. They would have us believe that the problem is
35
one of the products offered by vendors, rather than the systems
operated by users. Therefore it believes that the solution is to
influence vendors, rather than users. If vendors will simply offer better
systems with safer defaults, then the problem will be solved. The
report is either not aware of or ignores the evidence that users
systematically compromise away the security properties with which
systems are shipped.
The security of the computer in commercial activities,
especially in banking are of the greatest important that need to be
address. There are two type of security key and the first one is public
security key and the second one is private security key the public
security key are the one that can be made know to other parties. As the
name implies, it is the key that is publicized. The public key of a party
is used to encrypt (open) the data sent to that party. While the private
security key kept secret from the public eyes and is only know by the
owner. It is used to decrypting (closed) data that have been encrypted
(open) by the corresponding public key.
3.6. CONCLUSION OF COMMERCIAL EFFECTS ON
SECURITY
The full enjoyment of the benefit of computers requires a
certain level of confidence in how they behave. The security of the
systems contributes to that trust. The issue is more one of trust in the
population of computer, rather than in any one. While most computer-
related behavior is orderly, there is sufficient deviant behavior for it to
be a threat to the necessary level of trust.
36
Security of system is necessary but not sufficient for the security of
the population. It appears to be important to be able to answer
questions about the level of trust in the population.
The values to be conserved include trust, confidence, cooperation,
collaboration, coordination, competition, contention, order, freedom,
and enjoyment of the use and benefits of computing. These values
conflict and contend. What is good for one may not be good for all of
the others. However, it is clear that security will impact them all. The
choices that confront us are hard choices.
Things that society concludes are valuable, it takes steps to conserve,
and there is some evidence to suggest that society will conclude that
computers are valuable. Yet to date, we have taken few such steps for
computers. To the extent that we fail, to the extent that the results are
unsatisfactory or even merely unsatisfying, we invite intervention by
authority with a corresponding loss of freedom
3.7 CRYPTOGRAPHIC TECHNIQUES
Cryptographic (art of keeping message secure) is a branch of
mathematics that is based on the transformation of data. It provides an
important tool for protecting information and is used in many aspect
of computer security. It is define as a tool for satisfying a wide
spectrum of computer security needs and requirements. In Alese
(2000), cryptography was said to mean the art science of encrypting
message such as that it is unintelligible to whoever is not authorized to
have access to it. Cryptography relies on two basis components: an
algorithm (a complex mathematical formula) and a key string of bits.
Cipher text
37
3.8 MODEL OF CRYPTOGRAPHIC SYSTEM
There are three type basis type of cryptographic:
1. Secret Key Cryptography (SKC)
2. Public Key Cryptography (PKC)
3. Hash Functions
Secret Key Cryptography (SKC): Uses a single key for
both encryption and decryption also know as asymmetric
system.
Public Key Cryptography (PKC): Uses one key for
encryption and another for decryption know as the
asymmetric system.
Hash Functions: Uses a Mathematical transformation to
irreversibly “encrypt” information
(C) Hash Function (One-way cryptography). Hash functions have no key
Hash FunctionCiphertextPlaintext
(B) Public Key (Symmetric) cryptography. PKC uses two keys, one forEncryption and Decryption
PlaintextCiphertextPlaintext
(A) Secret Key (Symmetric) cryptography. SKC uses a single key for bothEncryption and Decryption
PlaintextCiphertextPlaintext
38
3.9 SECRET KEY CRYPTOGRAPH SYSTEM
With secret key cryptography, a single key is used for both
encryption and decryption. As shown in Figure 1A, the sender uses the
key (or some set of rules) to encrypt the plaintext and send the
ciphertext to the receiver. The receiver applies and same key (or
ruleset) to decrypt the message and recover the plaintext. Because a
single key is used for both functions, secret key cryptography is also
called symmetric encryption.
With this form of cryptography, it is obvious that the key must be
known to both the sender and the receiver; that, in fact, is the secret.
The biggest difficulty with this approach, of course, is the distribution
of the key.
Secret key cryptography schemes are generally categorized as being
either stream ciphers or block ciphers. Stream ciphers operate on a
single bit (byte or computer word) at a time and implement some form
of feedback mechanism so that the key is constantly changing. A
block cipher is so-called because the scheme encrypts one block of
data at a time using the same key on each block. In general, the same
plaintext when using the same key in a block ciphers whereas the
same plaintext will encrypt to different ciphertext in a stream cipher.
(C) Hash Function (One-way cryptography). Hash functions have no key
39
Stream ciphers come in several flavors but two are worth mentioning
here. Self-synchronizing stream ciphers calculate each bit in the
keystream as a function of the previous n bits in the keystream. It is
termed “self-synchronizing” because the decryption process can stay
synchronizing with the encryption process merely by knowing how far
into the n-bit keystream it is. One problem is error propagation; a
garbled bit in transmission will result in n garbled bit at the receiving
side. Synchronous stream ciphers generate the keystream in a fashion
independent of the message stream but by using the same keystream
generation function at sender and receiver. While stream ciphers do
not propagate transmission errors, they are, by their nature, periodic so
that the keystream will eventually repeat.
3.8.1 Example of Secret Key Cryptography algorithms that are in use today includes DES & FIPS etc:
Data Encryption Standard (DES): The most common SKC
scheme used today, DES was designed by IBM in the 1970s and
adopted by the National Bureau of Standards (NBS) now the
National Institution for Standard and Technology (NIST) in
1977 for commercial and unclassified government application.
DES is a block-cipher employing a 56-bit key that operates on
64-bit blocks. DES has a complex set of rules and
transformations that were designed specifically to yield fast
hardware implementations and slow software implementations,
although this latter point is becoming less significant today
since the speed of computer processors is several orders of
40
magnitude faster today than twenty years ago, IBM also
proposed a 112-bit key for DES, which was rejected as the time
by the government; the use of 112-bit keys was considered in
the 1990s, however, conversion was never serious considered.
DES is defined in American National Standard X3.92 and three
Federal Information Processing Standards
3.8.3 Two Important Variants that Strengthen DES are:
Triple-DES (3DES): A variant of DES that employs up to three
56-bit keys and makes three encryption/decryption passes over
the block; 3DES is also described in FIPS 46-3 and is the
recommended replacement to DES.
DESX: A variant devised by Ron Rivest. By combining 64
additional key bits to the plaintext prior to encryption,
effectively increases the keylength to 120 bits.
3.9 PUBLIC KEY CRYPTOGRAPHY SYSTEM
Public-key cryptography has been said to be the most
significant new development in cryptography in the last 300-400
years. Modern PKC was first described publicly by Stanford
University Professor Martin Hellman and graduate student Whitfeld
Diffie in 1976. Their paper described a two key crpto system in which
two parties could engage in a secure communication over a non-secure
communications channel without having to share a secret key.
41
Generic PKC employs two keys that are mathematically
related although knowledge of one key does not allow someone to
easily determine the other key. One key is used to encrypt the
plaintext and the other key is used to decrypt the ciphertext. The
important point here is that it does not matter which key is applied
first, but that both keys are required for the process to work (Figure
1B). Because a pair of keys are required, the approach is also called
asymmetric cryptography.
In PKC, one of the keys is designated the public key and may
be advertised as widely as the owner wants. The other key is
designated the private key and is never revealed to another party. It is
straight forward to send messages under this scheme. Suppose Tboy
Richest want to send Ejiro Richest a message. Tboy Richest encrypts
some information using Ejiro Richest public key; Ejiro Richest
decrypts the ciphertext using his private key. This method could be
also used to prove who sent a message; Tboy Richest, for example,
could encrypt some plaintext with here private key; when Ejiro
Richest decrypts using Tboy Richest public key, he knows that Tboy
Richest sent the message and Tboy Richest cannot deny having sent
the message (non-repudiation).
HASH FUNCTIONS
Hash functions, also called message digests and one way encryption,
are algorithms that, in some sense, use no key (Figure 1C). Instead, a
fixed-length hash value is computed based upon the plaintext that
42
makes it impossible for either the contents or length of the plaintext to
be recovered. Hash algorithms are typically used to provide a digital
fingerprint of a file’s contents, often used to ensure that the file has
not been altered by an intruder or virus. Has functions are also
commonly employed by many operating systems to encrypt
passwords. Hash functions, then, provide a measure of the integrity of
a file.
Certain extensions of hash functions are used for a variety of
information security and digital forensics applications, such as:
Hash Libraries are sets of hash values corresponding to known
files. A hash library of known good files, for example, might be
a set of files known to be a part of an operating system, while a
hash library of known bad files might be of a set of known child
pornographic image.
Rolling hashes refer to a set of hash values that are computed
based upon a fixed-length “sliding window” through the input.
As an example, a hash value might be computed on bytes 1-10
of a file, then on bytes 2-11, 3-12, 4-13, etc.
Fuzzy hashes are an area of intense research and represent hash
values that represent two inputs that are similar. Fuzzy hashes
are used to detect documents, images, or other files that are
close to each other with respect to content. See “Fuzzy
43
Hashing” (PDF/PPT) by Jesse Kornblum for a good treatment
of this topic.
WHY THREE ENCRYPTION TECHNIQUES
So, why are there so many distinct types of cryptographic schemes?
Why can’t we do everything we need with just one?
The answer is that each scheme is optimize for some specific
application(s). Hash functions, for example, are well-suited for
ensuring data integrity because any change made to the contents of a
message will result in the receiver calculating a distinct hash vales
than the one placed in the transmission by the sender. Since it is
highly unlikely that two distinct messages will yield the same hash
value, data integrity is ensured to a high degree of confidence.
Secret key cryptography, on the other hand, is ideally suited to
encrypting message, thus providing privacy and confidentiality. The
sender can generate a session key on a per-message basis to encrypt
the message; the receiver, of course, needs the same session key to
decrypt the message.
Key exchange, of course, is a key application of public-key
cryptography (no pun intended) . Asymmetric schemes can also be
used for non-repudiation and user authentication; if the receiver can
obtain the session key encrypted with the sender’s private key, then
only this sender could have sent the message. Public-key cryptography
could, theoretically, also be used to encrypt messages although this is
44
rarely done because Secret-key cryptography operates about 1000
times faster than Public-key cryptography.
Sent To
Ejiro Richest
EncryptedSession Key
EncryptedMessage
Public Key Cryptograph
Ejiro Richest Public Key
RandomSession Key
Hash Function
Tboy RichestMessage
Public Key Cryptograph
Tboy RichestPrivate Key
Secret KeyCryptograph
Digital Envelope
Digital Signature
Figure 2: Sample Application of the threeCryptographic Techniques for Secure Communication
45
Figure 2 put all of this together and shows how a hybrid cryptographic
scheme combines all of these functions to form a secure transmission
comprising digital signature and digital envelope. In this example, the
sender of the message is Tboy Richest and the Receiver is Ejiro
Richest.
A digital envelope comprises an encrypted message and an encrypted
session key. Tboy Richest secret key cryptography to encrypt her
message using the session key, which she generates at random with
each session. Alice then encrypts the session key using Ejiro Richest
public key. The encrypted message and encrypted session key together
form the digital envelope. Upon receipt, Ejiro Richest recovers the
session secret key using his private key and then decrypts the
encrypted message.
The digital signature is formed in two steps. First, Tboy Richest
computes hash value of his message; next, he encrypts the hash value
of her message; next she encrypts the hash value with his private key.
Upon receipt of the digital signature, Ejiro Richest recovers the hash
value calculated by Tboy Richest by decrypting the digital signature
with Tboy Richest public key. Ejiro can then apply the hash function
to Tboy Richest original message, which he has already decrypted (see
previous paragraph). If the resultant hash value is not the same as the
value supplied by Tboy Richest, the Ejiro Richest knows that the
message has been altered; if the hash values are the same, Ejiro
Richest should believe that the message he received is identical to the
one that Tboy Richest sent.
46
This scheme also provides nonrepudiation since it proves that Tboy
Richest sent the message; if the hash value recovered by Ejiro Richest
using Tboy Richest public key proves that the message has not been
altered, then only Tboy Richest could have created the digital
signature. Ejiro Richest also has proof that he is the intended receiver;
if he can correctly decrypted the session key meaning that his is the
correct private key.
47
CHAPTER FOUR
4.1 HACKERS AND CRACKERS
Hacking means finding out weaknesses in a computer or computer
network, though the term can also refer to someone with an advanced
understanding of computers and computer networking. Hackers may
be motivated by multitude of reasons, such as profit, protest, or
challenge. Some use their skills for business, developing penetration
tools to analyze a customer’s networks for security vulnerabilities.
The subculture that has evolved around hackers is often referred to as
the computer underground but it is now an open community.
A Crackers is the one who does “Cracking”.
Cracking is the act of breaking into a computer system, often on a
network; bypass passwords or licenses in computer programs; or in
other ways intentionally breaches computer security. And seek to
‘Crack’ or gain unauthorized access to computer to steal what have
been stored on our computers, Bank Account Details, Credit Card
Number, financial or business information.
A cracker can be doing this for profit, maliciously, for some altruistic
purpose or cause, or because the challenge is there. Some breaking-
and-entering has been done ostensibly to point out weaknesses in a
site’s security system.
48
Because of the understanding amongst most people that people that
hackers are malicious, for the purposes of this article, I will use
‘hacker’ and ‘cracker’ interchangeably to mean intrudes with
malicious intent.
4.2 EFFECTS OF COMPUTER HACKING
For some, hacking may just be a hobby to see how many computers or
networks they can crack. For other, there is malicious intent behind
their escapade, like stealing…
1. It can expose sensitive user data and risk user privacy, hacking
activities expose confidential user information like personal
details, social security numbers, credit card numbers, bank
account data and personal photograph
2. User information, in the hands of computer hackers, makes it
vulnerable to illegitimate use and manipulation.
3. Deletion or manipulation of sensitive data with intent to
achieve personal gain is another effect, a user whose computer
has been hacked is at the risk of losing all data and stored on it
computer. Manipulation of sensitive user data is a grave
consequence of hacking.
4. Identity theft is another important consequence of computer
hacking .identity theft is a fraud that involves pretension to be
someone else, with intent to gain unauthorized access to
information or property.
49
5. Hacking can be used to convert computers into zombies’ i.e.
internet-enabled computers that are computerized by hackers or
computer viruses. Zombie computers are used for fraudulent
activities like spamming and phishing.
4.3 TOOLS USED BY THE HACKER FOR HACKING THE COMPUTER SYSTEM
1. Nmap. (“Network Mapper”)
2. Nessus Remote Security Scanner
3. SuperScan
4. PuTTY
5. Password Cracking or Sniffing Programs
6. Vulnerability Scanners.
7. Malicious Programs
Nmap. (“Network Mapper”)
Nmap. (“Network Mapper”) is a free open source utility for
network exploration or security auditing. It was designed to
rapidly scan large networks, although it works fine against
single hosts. Nmap uses raw IP packets in novel ways to
determine what hosts are available on the network, what
services (application name and version) those host are offering,
what operating systems (an OS versions) they are running, what
type of packet filters/firewalls are in use, and dozens of other
characteristics. Nmap runs on most types of computers and both
50
console and graphical versions are available. Nmap is free and
open source. Can be used by beginners (-sT) or by pros alike (-
packet_trace). A very versatile tool, once you fully understand
the results.)
Nessus Remote Security Scanner
Nessus is the world’s most popular vulnerability scanner used in
over 75,000 organizations world-wide. Many of the world’s
largest organizations are realizing significant cost savings by
using Nessus to audit business-critical enterprise device and
application.
SuperScan
Powerful TCP port scanner, pinger, resolver. Super Scan 4 is an
update of the highly popular Windows port scanning tool,
SuperScan.
PuTTY
PuTTY is a free implementation of Telnet and SSH for Win32
and Unix platforms, along with an xterm terminal emulator. A
must have for any h4xor wanting to telnet or SSH from
windows without having to use the crappy default MS
command line clients.
Password Cracking or Sniffing Programs.
A password cracking program guesses users’ passwords,
whereas a sniffer program watches information passing through
51
the Internet. The aim of using these computer hacking programs
is to obtain usernames and passwords for unauthorized access.
Vulnerability Scanners.
Computer hacking can use vulnerability scanners to check a
computer for security weaknesses, such as those common on
Windows Operating Systems. When vulnerability is found, the
hacker knows exactly what to target to hack the system. Take
for example, a hacker armed with a laptop loaded with
searching software and an Omni-directional antenna. He/she
can car-cruise down local neighborhoods and business parks to
detect the locations of wireless network access points, or
hotspots. The hacker will make note of the site, return at a later
time, and hack into the network to search for vulnerabilities.
This practice is known as “wardriving” or “drive-by hacking”.
Malicious Programs
Hackers use backdoors-such as Trojan horses and rootkits-
viruses, and worms to compromise our systems.
Trojan Horses: are designed to appear to do one thing, such as
a free game, but really do something malicious. They are often
downloaded in a piece of freeware. A Trojan can be used to
create a backdoor, allowing a hacker to gain access later.
A Root-kits: is a piece of software that can be installed in a
similar way to a Trojan and hidden on our computer without our
52
knowledge. Root-kits are not necessarily malicious, but they
may hide malicious activities. Attackers may be able to access
information, monitor our actions, modify programs, or perform
other functions on our computer without being detected.
A Virus: is a self-replicating program that spreads copies of
itself to other programs on the computer it has infected.
A Worm: is also a self-replicating program, but it can spread
copies of itself to other computers. It may carry a malicious
program, such as a Trojan horse, which gives a hacker a
backdoor entrance to our PC.
4.4 HOW TO PREVENT COMPUTER HACKING
Security threats to information systems have increased 65
percent over the past two years, and the number of network intrusions
has quadrupled. Any small business with a broadband internet
connection needs to guard against becoming a cyber-crime victim.
Here are simple, effective steps that small business owners and
network administrators can take to protect/prevent computer hackings.
1. Implement a firewall
2. Develop a corporate security policy
3. Install anti-virus software
4. Keep operating system up to date
5. Don’t run unnecessary network services
6. Conduct a vulnerability test
7. Keep informed about network security
53
Implement a firewall
A firewall is a barrier that keeps hackers and virus out of
computer networks. Firewalls intercept network traffic and
allow only authorized data to pass through.
Develop a corporate security policy
Establish a corporate security policy should direct employees to
choose unique passwords that are a combination of letters and
numbers. Passwords should be changed every 90 days to limit
hackers’ ability to gain possession of a functioning password.
When someone leaves company, immediately delte the user
name and password. The corporate policy should outline
consequences for networking tampering and unauthorized entry.
Install anti-virus software
All computers should run the most recent version of an anti-
virus protection subscription. Ideally a server should be
configured to push virus updates out periodically to all client
systems. Employees should be educated about viruses and
discouraged from opening e-mail attachments or e-mail from
unknown senders.
Keep operating system up to date
Upgrade operating systems frequently and regularly install the
latest patches or versions of software, which are often free over
54
the Web. If you use Microsoft Windows, check
www.windowsupdate.com periodically for the latest patches.
Don’t run unnecessary network services
When installing systems, any non-essential features should be
disabled. If a features is installed but not actively used, it is less
likely to be updated regularly, presenting a larger security
threat. Also, allow only the software employees need to do their
job effectively.
Conduct a vulnerability test
Conducting a vulnerability test is a cost-effective way to
evaluate the current security program. This test highlights flaws
and limitations in the program, and experts can offer
suggestions for improvement. The best method for conducting
vulnerability test is to contact a computer consulting company
and provide access to your system for a day or two. This will
provide ample time for network appraisal and follow-up
discussion and planning.
Keep informed about network security
Numerous books, magazine and online resources offer
information about effective security tools and “lessons learned”.
Also, the Web provides ample and very current information
about security-type in the key words “network security.”
55
CHAMPTER FIVE
5.1. SUMMARY
Through this research work, computer security and public trust
has been seen to an indispensable concept that is important in any
business organization especially, in this concept of computer security,
several finally have been out themselves to be largely disputable,
some of which are:
To focus on the security of the computer components.
To analysis the various computer crime and fraud that are
common to the computer technology.
To expatiate further about the computer hacker and crackers.
These facts are seen to be interrelated.
The work under review is creates on the security and computer crime
as it affects all the works of life and towards the attainment of the
security objective. The crackers and hackers attributes toward the
security of computer technology is also highlighted as well as their
positive and negative effect.
5.2. CONCLUSION
The full enjoyment of the benefit of computer requires a certain
level of confidence in how they behave. The security of the systems
56
contributes to that trust. The issue is more of one of trust in the
population of computer-related behavior is orderly; there is sufficient
deviant behavior for it to be a threat to the necessary level of trust.
Security of system is necessary but not sufficient for the population. It
appears to be important in order to answer questions about the level of
trust in population.
The value to be conserved includes trust, confidence,
cooperation, collaboration, coordination, competition, contention,
freedom, and enjoyment of the use and benefit of computing. These
values conflict and contend what is good for one may not be good for
others. However, it is clear that security will impact them all.
In conclusion, the public trust and fraud prevention is very
important in the world of computer technology and should be
encouraged for optimum consideration.
5.3. RECOMMENDATION
In the course of this research work some facts finding have been
established about computer security and the roles it plays in the
research hereby recommend the following:
A. We write and speak, and behave as through security were
free as through it were on independent properly that
57
could be achieved without diminishing any other
desiderate.
B. The good security is depending on its design, this is true
however, in another sense security is usually achieved at
the expense of some other desirable property of the
system, and we need to take security onto a proper
consideration.
C. It also recommended that costs of security on the
computer are far reaching within the users and designer.
The ability of any computer designer is to see that the
security of the system are as well guarantee and the cost
of the design must be bore on the designer for the
flexibility of a system. The proper handling of the
computer security is highly recommended.
D. All our computers should be running the most recent
version of an antivirus program.
E. Our operating system and other software should be
patched as soon as updates are released. Maintaining the
most recent version of software and operating system will
58
help in blocking hackers from getting through any
vulnerability into our system.
In view of the above, it’s highly recommended that the security of
any computer system is of important and utmost.
Related Documents
