lOMoARcPSD|5619098

Computer Security Notes

Computer Security (Edith Cowan University)

StuDocu is not sponsored or endorsed by any college or university

Downloaded by Dr. Sandeep Saxena ([email protected])
 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

CSI1101: Computer Security

Week 1 Lecture

Pass rate 40-50% of cohort.

Assignments people struggle in, not exams.

Lecturer prefers us to give real life examples of computer security breach examples versus
hypothetical examples. (Big bonus marks, credit -> distinction, distinction -> high distinction,
looking at like 10% extra).

Subject line of emails: CSI1101 - Assignment 1 Question

Book for this unit:

Computer Security: Principles and Practices, Third Ed.
William Stallings + Lawrie Brown.
Pearson. -

Assignment Structure:
- Test 5%
- Assignment 1 20%
- Assignment 2 25%
- Exam 50%

In order to pass the unit, students must achieve 50% or more overall AND 50% or more in the
exam.

Lecture 1: Basic Principles and Aims of Security

Why are the “default” security settings on digital devices an issue?

Convenience for consumers.

Aims of Security
Generally the following are considered to be the aims of computer and information security:
- Confidentiality
- Integrity
- Availability
- Authenticity
- Non-repudiation/Accountability
Some consider all five to be the aims of security.
Others consider only the first three.

Infringement of these security goals examples?

Confidentiality - database breaches of private information, e.g. credit cards, personal, medical
etc
Integrity -
Availability - DDoS attacks, slowing services or stopping services to clients
Authenticity - Unauthorized access to accounts whether it be social media, email, banking, etc
Non-Repudiation/Accountability -

Security is Difficult to Sell (Exam Question ??) (Most people fail this question)
Management may ask:

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

- What does it cost

- What do we get
- How much will it cost to maintain
- Will we need to train our staff
- Will we need to update or review our policies
- Imagine selling your friend something they cannot see touch or use, and trying to prove to
them that they need it now
- Would you buy asteroid insurance

Selling Security -> What management wants to know about if you are trying to sell them security
systems.
1. Link you internal business case to legislative requirements and best practice
2. Communicate the consequences of a breach as it relates to each asset
3. Use internal metrics, logs and data to demonstrate potential breaches
4. Present a complete security strategy avoid bolting on quick fixes to existing infrastructure
5. Present a realistic breakdown of time, cost and quality management
6.
7.
8.
(Look at slides later in term)

CSI1101: Computer Security

Week 1 Tutorial

Majority of student who the unit do so because of their assignment marks.

Those who receive low assignment marks often have not referenced properly or do not include
any references at all.
Reference properly.

What should be referenced?

- Words and ideas
- Numbers, statistics, percentages
- Diagrams, pictures
- Source code
- Charts, graphs

Instead of copying something word for word, paraphrase it into your own words.

Original sentence: “It is of considerable concern that so many enterprise level hard disks still
contained recoverable data.”

Paraphrased sentence: “Since large corporations are disposing of hard disk with data intact
(Valli & Woodward, 2007), one could question how the data could be misused if it fell into the
wrong hands.”

Assignment 1:
Install virtual machine on computer.
Mac - Oracle Virtual Box (Free & have used it before)

Report - Max 10 pages.

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

Report Requirements:
Title Page
Table of contents
Introduction
Main content
Summary
Reference list

Do not propose any solutions.

Only identify and justify the security issues you have discovered.
20-40 references should be found.

Assume target audience has little expertise in cyber security, as a result must communicate
findings in a simple manner.

Virtual Box Security Concerns:

- Figure out what is needed for it to be most secured, compare most secured environment to
current environment and figure out what needs to be fixed. Uninstall recoverable

CSI1101: Computer Security

Week 2 Lecture
Risks, Threats and Threat Modelling

What is a Threat?
An entity likely to cause damage or danger.
An act designed to obtain a negative response.

What is a Vulnerability?
A flaw or weakness in the design, implementation, or operations of a system.
How open something is to an attack.
Threats act on or exploit vulnerabilities.

Risk Assessment
Risk is the likelihood of the occurrence of a vulnerability multiplied by the value of the asset
minus the percentage of risk mitigated by current controls plus the uncertainty of current
knowledge of vulnerability.

Risk control strategies

- Defence
- Mitigate
- Accept
- Transfer
- Terminate

Instinctive Risk Assessment

Real Vs Perceived Risk
Risk Perception

Contingency Planning (CP)

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

- A CP is used to anticipate, react to, and recover from events that threaten information assets,
it involves:
> A business impact analysis (BIA)
> Incident response plan (IRP)
> Disaster recovery plan (DRP)
> Business continuity plan (BCP)

Generic Threats
- Interception
- Modification
- Fabrication
- Interruption

Information Warfare

Malware

Espionage

Eavesdropping/surveillance

Motivations of Attackers
- Financial
- Emotional, revenge
- Ideological, activities, hacktivists
- Opportunistic
- Compulsion/addiction
- Social acceptance
- Challenge

Capabilities of Attackers

Risk Aversion

Modelling Threats

Attack Trees
- Put ourselves in the position of the attacker

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

Attack Tree Diagram for Exam:

- 30 Nodes, 75% of technical nature
- Identify actual software to use for this

Determining possible attack avenues?

- Not quick or easy
- Journal papers, conference papers
- Blackhat conferences, Deacon, Kiwicon
- News media, magazines
- Use variations of old attacks
- Common Vulnerabilities and Exposures (cve.mitre.org)

Controls and Safeguards

CSI1101: Computer Security

Week 3: Malware

What is Malware?
- Malware (malicious software)
- Software designed to infiltrate, damage or distrust a computer system without the owner’s
informed consent.
- A set of instructions that run on your electronic deice and make it do something that an
attacker wants it to do.

Why attackers are targeting small devices such as phones, tablets etc, is because patches by
vendors are less likely to be brought out, or in a timely matter than large vendors such as
Microsoft or Apple.

Consequences of Malware?
Malware may:
- Steal your personal information
- Monitor your computer activity
- Install additional software
- Create backdoors
- Lower the overall state of security
- Display forced advertising
- Enable profiteering scams
- Use your computer resources (CPU, RAM etc.)

What malware looks like to a home user?

Computers: Easily noticeable if malware is affecting the computer.
Phones (e.g. Android): Not noticeable at all if malware is affecting the computer.

Evolution of Malware
Complexity of attacks overtime.
1990-2000:
Attacks: Against web server.
Motivations: Defacement, glory.

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

2000-2004:
Attacks: Against web server, data and infrastructure.
Motivations: Corporate information and financial gain.
2004-2009:
Attacks: Against web application, data infrastructure and end-user computers
Motivation: Corporate information, personal information and financial gain.

Research has shown you can remotely install malware in vehicles which use electronic
systems.

Malware Attack Kits

Initially the development and deployment of software required considerable technical skill by
software and authors.
- The development of virus-creation kits in the early 1990s and then general malware kits
in the 2000s greatly assisted in the development and deployment of malware.
Toolkits are often known as “crimeware”.
- Variants that can be generated by attackers using these toolkits create a significant
problem for those defending systems against them.
Widely used toolkits include:
- Zeus
- Blackhole
- Sakura
- Phoenix

Attack Sources
A significant malware development is the change from attackers being individuals motivated to
demonstrate their technical competence… to organised and dangerous attack sources i.e.:
- Politically motivated attackers
- Criminals
- Organised crime
- Organisations that sell their services to companies and nations
- National government agencies

Malware Categories
- Viruses
- Trojan horses
- Worms
- Rootkit
- Botnets
- Logic bombs
- Spyware
- Scareware
- Ransomware

When does a system become vulnerable to malware?

- Flaws or bugs in software
- Over privileged users or system processes
- Design of software or a system
- Poorly implemented Standard Operating Environment (SOE) practices

Malware Specimens

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

Zeus Trojan Horse

- Commonly spread by FaceBook messages
- Installed via drive-by-downloads and phishing
- Works on Microsoft Windows only
- Attacker fine tunes their Trojan to steal information of interest to them only
- Awakes when a particular site is accessed
Psyb0t
- Targets Linux based ADSL routers
- Infection occurs from an internal IP address
- Initially pre-populated with 6000 usernames and 13,000 passwords.
- Generally exploits poorly configured devices.
- When part of a bonnet is receives commands via IRC command control servers.

Rather than infecting one computer, infect the router that the network relies on, to have
unrestricted control of who, and how the connection is used, while being monitored.

Works on human ignorance, that people do not change the default password for the router.

No Anti-Virus software exists for Routers.

Power cycling devices will remove infected devices as the malware resides in temporary
memory storage.

Classifying Malware
Malware can be classified into several categories, depending on the propagation, concealment
and payload.
Propagation e.g.
- Human assisted (i.e. viruses in email attachment)
- Automatic propagation (without human assistance… a worm)

Concealment:
- Modifies OS to hide its existence (rootkit)
- Provides desirable functionality (Trojan)
Payload:
- Amusing/annoying pranks
- Destroy or corrupt files
- Denial of Service attacks
- Install backdoor(s)
- Alter web browsing settings to display advertising

Viruses
Piece of software that infects programs:
- Modifies them to include a copy of the virus
- Replicates and goes on to infect other content
- Easily spread through networked environments
When attached to an executable program a virus can do anything that the program was
permitted to do.

Virus Structure
Infection mechanism
- Means by which a virus spreads or propagates

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

Trigger
- Event or condition that determines when the payload is activated or delivered i.e. logic bomb
Payload
- What the virus does besides spreading
- Could be damaging or benign

File Virus Infection Techniques

Virus Classifications
By target:
- Boot sector infector
- File infector
- Macro virus
- Multipartle virus
By concealment strategy:
- Encrypted virus
- Stealth virus
- Polymorphic virus
- Metamorphic virus

Worms
A computer worm is a program that spreads without needing to insert itself into other files and
usually without human interaction.
A worm will encompass a malicious payload such as: deleting files or creating a backdoor.
Most worms spread by exploiting vulnerabilities or poorly configured systems.

Worm Propagation
1. Scan for targets on network
2. Locate a target with a vulnerability that could be explored by the worm
3. Exploit the identified vulnerability and establishes itself on that host
4. Repeats the process by scanning for new targets that can be exploited

Worm Types
- Electronic mail or instant messenger facility
- File sharing
- Remote execution capability
- Remote file access or transfer capability
- Remote login capability

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

Trojan Horses
- A trojan horse is a program that appears to be useful, but also performs a negative task to the
computer, smartphone, IoT devices etc.
- Can be resultant payload or its own program.

Trojan Horse Types

Common Trojan Horse (social engineering)
- A functional program with an alternative malicious behaviour i.e. every time the 7 is pressed a
file is deleted at random.
- Files/partitions could be encrypted requiring payment before they are again accessible i.e.
ransomware.

Deceiving you into thinking it has desirable and working functionality.

Remote Access Trojan horse (RAT)

- Allows the device to be controlled/monitored
- A backdoor into a system and allow an attacker to execute or monitor actions on the victims
computer
- Allows the infected host to be access when behind a firewall/router/NAT (discussed in a later
module).

Rootkits
A stealthy application designed to hide the fact that an operating system has been
compromised.
Typically encompasses three components:
- Concealment
- Command and control
- Surveillance

Types of Rootlets
User-mode rootlets:
- Run on infected device with admin/root access
- May alter/hide security settings, processes, files, system drives, network ports, and system
services.
- Can typically be removed with AV software but (some) damage to the system may be
unrepairable.
Kernel-mode rootkits:
- Kernal-mode rootlets run at the operating system level by adding to or changing critical system
files.
- Modify kernel data structures to return manipulated information to user application.
- System is infected vi updates/patches
- Removing kernel-mode rootlets is extremely problematic.
Firmware rootkits:
- Hides in firmware stored on flash memory.
- Restarting/power cycling the infected device will result in a re-contamination.
- Removal of a firmware rootkit is temporary until the infected devices is restarted.
- May require an entire firmware update to be loaded resulting in data/settings have been lost.

Botnets
Bonnet (or robot network) is a collection of compromised computers.

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

Each compromised computer has malware installed on it… usually a RAT.

The “master” controls each of the computers (zombies) over the Internet via the installed
malware.

Malware can turn a host into a zombie.

A zombie is a machine controlled by a master.

Logic Bombs
- A logic bomb (usually) performs a malicious action as a result of a certain logic condition.
- A programmer puts code into software for the patrol system that makes the program crash
should it ever process two consecutive payrolls without paying him.
- Some trial programs work for a certain period of time and then disable themselves.

Spyware
1. Spyware infects a computer
2. Spyware process collects keystrokes, passwords and screen captures.
3. Spyware process periodically sends collected data to spyware data collection agent.

Adware
1. Adware infects a computer.
2. Adware engine requests ads from adware agent.
3. Adware agent delivers ad content to user.

Scareware (aka Trojan horse)

Trick the user into downloading (fake anti-virus) malicious software.

Ransomware
- Software that kidnaps a users computer by encrypting a drive or files, then demanding
payment (usually in Bitcoins) to decrypt it.
- If not paid within a certain amount of time (usually 72 hours) the key will be destroyed.
- Recent ransomware versions allow users to decrypted a few files for free to prove they can be
recovered.

Script kiddies have made it so that even after payment, files are not decrypted.
Therefore big cyber criminals allow victims to decrypted a few select files for free to prove the
legitimacy if they pay the bounty.

Generations of Anti-Virus Software

First generation: simple scanners
- Requires a malware signature to identify the malware
- Limited to the detection of known malware
Second generation: heuristic scanners
- Uses heuristic rules to search for probable malware instances
- Another approach ins integrity checking
Third generation: activity traps
- Memory-resident programs that identify malware by its actions rather than its structure in an
infected program
Fourth generation: full-featured protection

Malware Countermeasures - Signatures

- Each malware specimen has a unique set of instructions.

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

- Instructions form the signature or “fingerprint”

- Anti-virus software uses a signature database to detect known malware.
- A file is considered infected if it contains the known signature or unique instructions.

Sometimes false positives occur:

- A “safe” file has instructions similar to a known virus file.
- The vendors signature database is proprietary.
- Demand for vendors detecting and releasing an updated database of signatures is high.
- Until your anti-virus software database is the updated you remain vulnerable.

Shield vs. On-demand

Shield:
- Background process (daemon/service)
- Scans when a file is touched (open, copy, etc.)
On-demand:
- Scan on explicit user request or according to regular schedule.
- Scan on a suspicious file, directory, drive etc.

Online Anti-Virus Software

- Free browser plug-in
- No shielding
Software/signatures updated before scan
- Each scan requires internet connectivity
- Report collected by company that offers SW

Scanning Suspicious Files and URLS

Virus Total

Android Application Scanner

APK Analyser

Future of Malware
What will malware look like in the future?
- Ransomware + IoT devices?
All electronic devices are prone to malware
- Implications for hospitals
- How about planes?

Cyber Warfare
It is easier to hie a dozen hackers than it is buy a dozen missiles
Will malware be the form of terrorism in the future
Robbing a bank with gun lacks class, why not just use malware?

CSI1101: Computer Security

Week 3 Tutorial

Five objectives of Security:

- Confidentiality

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

- Integrity
- Availability
- Authenticity
- Non Repuitiation

Four stages of Virus:

- Dormant
- Triggering
- Propagation
- Execution

1. Assume you find a USB memory stick in your work parking area. You are determined
to find out what digital content resides on this persistent storage.
a) What threats might this pose to your work computer should you just plug the memory
stick in and examine its contents?
Cache from USB could have illegal content on it, such as
Threats:
- Self executed virus
- Human assisted virus

Unsure Threats
- Is their cache (or some sort of temporary data) from the USB from e.g. Icon previews, image
previews etc, they contain harmful or illegal content.
-
b) What steps should you take to mitigate these threats, and safely determine the
contents of the USB memory sticks?
Run a virtual machine.
Not use.
Disable auto run or auto play.
Make sure your not logged in on admin account.

CSI1101: Computer Security

Week 4 Lecture: Cryptography 1

Assignment 1:
Per issue, 2-3 sentences of writing.
(Less than 10 pages)

Look at marking key and follow it.

Title Page
Contents Page
Introduction
Conclusion

Terminology
- Encryption
- Cipher
- Plaint text
- Cipher text (output of the encrypted plain text message)

Why is Encryption important?

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

- Privacy
- Confidentiality

The Role of Cryptography

- One of the most important and fundamental computer security tools
- Used to hide the meaning of information or communication
> When sending highly sensitive documents
> Undertaking banking online

Codes and Ciphers

Codes:
- Replacing a phrase or message with a word or symbol (brb = be right back)

Ciphers:
- Replacing individual characters, digits or bits
- “be right back could be replaced with “cf sjhiu cbdl”

Ciphers Categorised

Symmetric Encryption

- Same key used for encryption and decryption

- Simple mathematical operations
- Well suited to for basic computer systems
- Think of the key as a password that must be entered/used every time data is encrypted or
decrypted.

MD5 Hash Example

- Always 32 digit result
- Hex result given, which can be converted to binary.

Symmetric Key Sharing

Vulnerability: Everyone needs to know the key as its a shared key.
How doe the sender and recipient share the key?
- If it is emailed, it could be intercepted
- Meeting in person is not always practical
- A courier can not always be trusted

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

- What if you no longer want an individual to be able to decrypted a message?

- What if a key is leaked?
Issues found in Symmetric Encryption are resolved in Asymmetric Encryption

Asymmetric Encryption
- One key is used for encryption and another for decryption
- Private key (recipients key)
> Must kept secret
> Security of system relies on secrecy of this key
- Public key
> Can be given to anyone
> Could be attached to emails
> Published on a web page
E.g. PGP Encryption

- Recipient can give public key to anyone

- Senders can then use recipients public key to encrypt messages
- Recipient can sue private key to decrypt message
> Recipient has kept the key in their possession at all times
> No secret information needs to be transmitted in an unencrypted form

No current examples of high end asymmetric encryption breaking.

Block Ciphers
- Plaintext/ciphertext has a fixed length “b” (e.g. 128 bits)
- A plaintext of length “n” is partitioned into a sequence of m blocks, P[0], …, P[m-1], where n <
bm < n + b
- Each message is divided into a sequence of blocks and encrypted or decrypted in tiers of its
blocks

Plaintext []
Blocks of plaintext [] [] [] []

- Messages are divided into blocks and encrypted separately

- The same plaintext data will result in the same ciphertext data - does not ensure
confidentiality, well

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

Block Cipher Mode of Operation

- Each block of plain text is XORed with the previous ciphertext.

- This ensures ‘uniqueness’ in the message being encrypted

XOR
50% chance of getting a 1, and 50% chance of getting a 0 (binary), making encryption a lot
more secure.

Electronic Code Book vs Cipher Block Chaining

Stream Cipher
- Symmetric crypto system where cipher text C is obtained as the exclusive OR of the plaintext
message M and a pseudo-randoms binary vector S generator from the secret key.

Seed -> Key stream generator -> Key stream + Message -> Cipher text

Computers are not capable of truly generating random numbers. They take something to begin
with (e.g. seed) to create the key stream generator.
It is continually generating random values.

Stream Cipher occurs most on networks.

Symmetric Block Ciphers - DES/3DES

Data Encryption Standard (DES)
- Developed by IBM in 1977
- 64 bit blocks, 56 bit keys (+8 bits for parity)
- Small key space make exhaustive attack possible
Triple DES (3DES)
- Effective key length of 168 bits
- Tried to resurrect DES, but computationally insufficient
Computers not powerful enough

Symmetric Block Cipher - AES

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

Advanced Encryption Standard (AES)

- The longer the key length, the harder it is to break the encryption algorithm.

- Selected by NIST in 2001 through open international competition and public discussion
- 128 bit blocks
- 128, 192 and 256 bit key lengths
- Exhaustive key search attack is not currently possible

Symmetric Stream Cipher - RC4

- Rivest Cipher 4 designed by Ron Rivest from RSA Security in 1987
- Used in SSL and WEP
- Simple and computationally efficient
- Key sizes range from 40 - 2048 bits

Asymmetric Cipher - RSA

- Designed by Rivest, Shamir, and Edelman (RSA)
- It is easy to multiply 2 numbers and calculate a product, but difficult to take a product and
determine all of its factors
- Usually deals with very large prime numbers
- Common key lengths are 512, 1024, 2048 or even 4096 bits

Steganography
- Involves in hiding data within data
- A picture could be hidden in another picture
- Messages do not attract the intention

The more 1’s present in the sequence, the higher intensity of the colour (darker). More zeros,
lighter the colour.

Want to embed a message in a picture?

Convert the letters into binary.
Use binary to create colours, and represent as a picture.

Find out pixel colours of image, -> want to alter the least significant bit so the picture least
changes.
File size will not change between original picture and new picture.

Altering pixels, very hard to detect.

File size: 1mb, -> embed about 128 KB of data without changing the picture.
10-12% percent change.

Host file doesn’t have to be a picture, can be a music, video, etc

However a picture, the visual will change except it can still be viewed, if embedding into video or
music, the file may not longer be able to be used or be compatible.

There is computer software designed to detect steganography in pictures.

Brute Forcing Symmetric Ciphers

- Brute force attacks are also known as key space attack.
- The key space is the set of all possible keys for a given cipher.
- The key space possibilities are determined by the key length

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

Bits 2^x Combination

1 2^1 2
2 2^2 4
3 2^3 8
4
5
6
7
8
9

Some Basic Probability

In terms of cryptography we often talk about very large numbers.
But how big are some of these numbers?
Take DES for example
DES has 56 effective bits in its key lengths, 2^56 = -72 quadrillion keys
If you reached into this key space and selected a random key what would the probability of the
obtaining the correct decryption key?

Brute Force Attacks

- You systematically test every key until the correct key is found
- A brute force attack has a 100% chance of being successful - give enough time
- Or you can pre-compute them and store them in binary form, commonly known as rainbow
tables

DES Brute Force Example

If we could do 1 test every millisecond, it would take 2,284,931 years to go through the entire
key space.

Electronic Frontiers Foundation managed to create a machine that could cracked DES message
in 3 days.

Cracking AES?
According to NIST, if you had a machine that could crack DES in 1 second, it would that
machine 149 trillion years to crack 128 bit AES. So even though they managed to create
something to crack DES in 3 days it will not be able to crack 128 bit AES.

Prosecution for not providing encryption key

In WA you can be prosecuted for not providing an encryption key to your devices, however if
you were a criminal, it would be better to be charged with not providing an encryption key than
to be charged with being in charge of a huge online drug scandal, from the evidence you
encrypted.

Brute Forcing Asymmetric Algorithms

- Brute forcing asymmetric ciphers such as RSA, usually relies on being able to factor very large
prime numbers.
- It is easy to multiply two numbers to get a product, but considerably more difficult to start with
the product and determine all of its factors.

Traffic Analysis

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

However even if the content of the messages is not known, patterns of communication might
convert information
The number and timing of transmitted messages might convert certain information even if the
content of the messages is not known.

E.g. Even if you laptop is completely encrypted, the pattern of your transmission of data can be
used to prosecute you. Look at Defcon video, harvard university bomb threats, made from TOR
(user though they were protected), however looking at the campus network, they were the only
one using TOR network at that time on that network, and therefore was prosecuted.

Does trust exist in encryption?

- Can we trust our encryption software
- Do governments or other agencies have a vested interested in stopping us from using
encryption
> Backdoors
> “Master” decryption keys
Which is more “trustworthy”?
- Commercial or ope source software?
- Freeware/shareware

CSI1101: Computer Security

Week 5 Lecture: Crypto 2

Data Integrity
The validity and trustworthiness of data.
Data may lose its integrity to:
- Human errors
- Errors during transmission over a network
- Software bugs
- Malware
- Hardware malfunctions
- Natural disasters

Ensuring Integrity via Parity

- Parity of bits, one method being that the binary number of 1’s is even. E.g. A in ASCII into
binary is 0100 0001, but by manipulating the sequence to ensure parity it can change what it is
then decrypted into, e.g. A can become B, by adding a 0 to the end of the sequence.

Ensuring Integrity via Checksum

Checksum at senders end

Checksum at receivers end

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

Data Integrity Checking

Parity bits and Checksum are both susceptible to malicious and accidental faults and errors.
To ensure data integrity we need a method which is fault tolerant.

Cryptographic Hash Functions

A strong way of assuring the integrity of a digital object:
- A document
- An executable program
- Any other collection of bits
- A paragraph of text

A hash function takes the object as an input and outputs a “has” or “digest”.

A complex mathematical algorithm (formula)

- MD4, MD5, MD6
- SHA1, SHA256, SHA512, SHA3
- RIPEMD160, RIPEMD320
- PANAMA
- Tiger
- And many others

Message-Digest Algorithm 5 (MD5)

- Developed by Ron Rivest in 1991
- Outputs 128 bit hash values
- Widely used in legacy applications
- Considered academically broken
- Faster than SHA-1

Secure Hash Algorithm 1 (SHA-1)

- Developed by NSA and approved by NIST
- Outputs 160 bit has values
- Contains less implementation issues than MD5 (as it should)
- It computationally more intensive than MD5
- Superseded by the SHA-2 family (SHA-256, SHA-384, SHA-512)

Hash Function Characteristics

A cryptographic hash function should have the following properties:
- Input of any length
- Output (has or digest) of a fixed length
- Easy to compute in one direction
- Difficult to compute in the reverse direction
- The collision rate should be acceptably low (this digest should be unique to that object or
message)

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

Cryptographic Hash Functions

A hash algorithm is used to obtain a digest of a digital object
The same algorithm could be used to generate another digest
If the outputs are the same then the two objects are identical down to the lats bit (forensically
verified)
If so much as one bit is different between the two objects, the outputs will be completely
different.

CSI1101: Computer Security

Week 6 Lecture: Identification and Authentication

Terminology
Identification
- Establishing who what an entity persons claims to be
- Who is this entity
Authentication
- Establishing the the entity really is what it claims to be
- Is this entity really what they claim to be
Authorisation
- Establishing what the entity is allowed to do
- What resources can they access/interact with?

Online Fingerprints provide identity..

Authentication without disclosure of identity

Bitcoin? Client side key? *guesses*
Essential the system knows that the subject is either authentic or authentic but does not know
the identity of the subject.
However identity is necessary if we want to enforce different authorisation controls on a per user
basis.
Or relation actions to a particular user

Identification and Authentication

3 Approaches:
Something you know
- Passwords
- Answers to questions
- Secret handshakes, symbols etc
Something you have
- ID card
- Token
- Private key
Something you are
- Biometric characteristics

Something You Know

- Username
- Password - Strength, storage, problems, cracking passwords,
- Date of birth

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

- Address
- Phone number
- Etc..

Using a hash function to store passwords

- User types in their password
- Password is encrypted through one way function
- OS compares hash with has stored in database.

Off-line Password Cracking

- Dictionary attacks
- Brute force attacks
- Hybrid attacks

Success Factors^^
- For these offline attacks to work, the attacker needs:
- The passwords in their hashed form
- Knowledge of the hashing process/algorithm
- The ability to test for a match
- Significant amounts of time/computing power.

Rainbow Tables
- Large tables of pre-computed password hashes

Hash cat password recovery tool

More hardware = easier to crack passwords

Password salt
- Random data used as additional input to a one-way function.
- End users will naturally use short passwords
- Adding additional random characters will theoretically require additional computational power.
- Concatenate a salt with a password
- If the attacker knows the salt they still need to calculate a longer list of hash values requiring
additional time/resources before the correct value is found.

Something That You Have

- Smart card
- Token
- Private key

Barcodes
- The airline industry has been using two-dimensional barcodes into boarding passes.
- The barcode is encoded with an a unique indentifer allowing staff to look up the passenger’s
record with that airline.
- Barcodes provide convenience but are easy to duplicate

Magnetic Smartcards
Circuit based Smartcards
Tokens
RFID

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

Wearable authentication devices

Something That You Are

Biometrics

Physiological vs Behavioural Biometrics

Physiological:
- Iris
- Retina
- Finger prints
- Hand geometry
- Face recognition
Behavioural:
- Keystroke analysis
- Signature analysis
- Voice analysis

Confidence Limits
Each sensor reading will be slightly different
- Ambient light, noise
- The subject’s alignment with the sensor
Confidence limits allow for slight variation
How to determine optimal confidence limits?
- Too relaxed and we might authenticate an impostor.
- Too tight and we might reject the real person.
- Unfortunately the confidence limits may be fixed by the device itself and may not be user
configurable.

Biometric Errors
False Acceptance
False Rejection

Type of Subject
Cooperative Subject
Non-Cooperative Subject
Uncooperative Subject

Inhibiting Factors?
If biometrics solve so many problems, why do we not use biometrics for everything?
Are the following factors inhibiting the adoption of biometrics?
- Social
- Cultural
- Religious
- Technical
- Economic
- Practical
- Other

Concluding Remarks
Is this ability to identify and authenticate necessarily a good thing?
- Will we get to a stage where every action can be:

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

> Recorded?
> Authenticated?
> Cross checked and matched with other actions?
- Is the notion of cash dead?
- In what areas of our lives to we still have any degree of anonymity?
Is there really any notion of privacy left?
- More on this in the privacy module…

CSI1101: Computer Security

Week 7 Lecture: Hardware and Data Security

The Earliest Computers

Initially all computer security issues were hardware security issues
- Systems occupied entire rooms
- Security was based on access control
Protecting computers today is a lot more complex as they have become;
- Increasingly mobile
- Interconnected
- Uncontrollable environmental factors

BYOD (Bring Your Own Device)

- Benefits to organisations and limitations
- Confidential company data now stored on personal and mobile computing devices.
- Organisation have lost control over data that they own.

Threats Towards Computing Hardware

- Theft of devices
- Environmental
- Physical Destruction
- Accidental damage
- Loss/misplacement
- Hardware age/stress

Theft of hardware might be the easiest way to obtain data of interest.

Encrypted storage is often tamper resistant and tested by government agencies (i.e. ASD)

Hardware vs. Software Encryption

Hardware-based encryption:
- Uses a dedicated processor located on the encrypted drive
- Processor contain a random number generator to generate an encryption key, which the user’s
password will unlock.
- Increased system performance
- Protectors against cold boot attacks, malicious code.
Software-based encryption:
- Shares computer resources to encrypt data with other programs on the computer.
- May require software updates
- Susceptive to brute force attacks, memory attacks
- Cost-effective in small application environments.

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

Hardware Theft Mitigation Strategies

- Microdot technology
- RFID tagging
- CCTV monitoring
- Access control
- Secure storage of portables
- Encryption of Data at rest
- Mobile device tracking.

What about Environmental threats?

Electricity.
Mitigation strategies for electrical = uninterruptible power supply (UPS).

What about Physical Damage to hardware?

Hardware could be damaged deliberately or accidentally.
- Backups are the best means to address physical damage to hardware
- How many people perform daily backups?

User Espionage:
- Keystroke sounds can be recorded and reconstructed to identify what was typed (Keyboard
acoustic emissions)
- Hardware device designed to capture keystrokes.(Hardware key logger)
- Wi-Fi Data Capture

Faraday Bags, cages and Rooms

- To block/limit EMD emissions through the air we can surround sensitive equipment with a
metallic conductive shielding or mesh
- The holes in mesh are smaller than the wavelength of the EMF radiation to block.

Radio Frequency Identification (RFID)

Active or passive

Hardware Attacks: Reverse Engineering

Corporate espionage may involve….
- Reverse engineering, taking the final product, examining it, and working back to its design
through:
> Direct interrogation of the device by extracting an imaging of the software through an
interface typically JTAG
> Taking the resultant image and performing a disassembly of code

Jailbreaking

Computer Forensics
- Sometimes we may employ best practice from our perspective to erase data, but this may still
be insufficient.
- Computer forensics is the process of extracting data from hard drives, memory cards, or RAM
for use in a court of law.
- Computer forensic tools may also be used to extract confidential and private end-user or
corporate data.

Data Storage

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

Cluster sizes (mr williams, tetris example).

Data Recovering and Carving

Data recovery or carving could be undertaken for a number of legitimate or non-legitimate
reasons.

Secure File Deletion Tools

- Secure file deletion tools can be used to ensure that data recovery is very difficult.
- Secure file deletion tools overwrite data or more precisely sectors many times
> 1, 3, 7, or 35 times using different bit patterns
- Tools can be used to wipe files, free space, unallocated space cluster tips.
- Erasing a hard drive properly can take days or weeks so people/organisation typically dispose
of hard disks incorrectly.

Backup Strategies
People typically recognise the importance of ongoing, reliable system backups.
However, people are also reluctant to perform this process.
Data could be deleted, corrupted or lost.
Ransomware has encouraged end user and organisations to rethink their backup strategies.

Backup Issues
Some questions need to be answered.
- What will be backed up?
- How often will backups be performed?
- Will a rotation strategy be used?
- What type of media will be used?
- Where will backups be stored?
- How will backups be protected?
- Plain text or cryptic?
- Verification and logging of backups

CSI1101: Computer Security

Week 8: Operating System Security

What is an Operating System?

Provides the interface between the user and the computer hardware
Manages how applications access resources
- Hard disks
- CPU
- RAM
- Input devices
- Output devices
- Network interfaces

OS Security Concepts
- Identification, Authentication, Authorisation.
- Separation and protection of objects
- Auditing
- Permissions and File System Security

Separation of Objects

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

- An OS needs to stop objects from interfering with other objects.

- In particular it needs to prevent one process from interfering with other processes
- Memory management is important
- Many memory management techniques have been used by operating systems

Identification and Authentication

- Passwords still heavily relied upon as a means of authentication
- Smartcards, token making some progress
- Consumer oriented biometric devices are becoming prominent for mobile computer devices

Authorisation
- An operating system controls accesses to object within the system
- Objects might include:
> Files
> Network shares
> External drives and peripherals
> Resources (processor, memory etc)
- Different Operating Systems have different capabilities in controlling access to these resources

Windows Security Architecture

Local Security (LSA)
Security Reference Monitor (SRM)
Security Accounts Manager (SAM)
WinLogon and NetLogon
- Access Control Lists (ACL)
User Account Controls (UAC)
Security Identifier (SID)

Special Accounts and Groups

- Admin or Root account
> Most powerful account
> Often this account is not subject to account lock out if incorrect password is entered
repeatedly
- User account
> Multiple user accounts can be present
- Guest account
> These days this account is typically disabled by default
- Group(s)
> A group may specify access to software, devices, objects etc. on that specific system

Downloaded by Dr. Sandeep Saxena ([email protected])

 lOMoARcPSD|5619098

Computer Security Entire Semester Notes

Downloaded by Dr. Sandeep Saxena ([email protected])