Download 1 Introduction

ASCA & ALCS Curriculum
SOHO Network Management and Security
- Security threats and measures
V1.1 17/05/2007
SOHO
NETWORKING
SECURITY THREATS and Measures
ASCA & ALCS Curriculum
SOHO Network Management and Security
- Security threats and measures
V1.1 17/05/2007
Contents
1
2
3
4
5
6
7
Introduction ............................................................................................................................. 2
The First Security Threat – Virus ........................................................................................... 2
2.1
Introduction ..................................................................................................................... 2
2.2
Replication Strategies ..................................................................................................... 3
2.3
Avoiding Detection (out of syllabus) .............................................................................. 4
2.4
Virus Example – CIH...................................................................................................... 4
2.5
Solution – Anti-virus Software ....................................................................................... 5
The Second Security Threat – Worm...................................................................................... 5
3.1
Introduction ..................................................................................................................... 5
3.2
Replication Strategies ..................................................................................................... 6
3.3
Worm Example – Mydoom ............................................................................................ 6
3.4
Solution ........................................................................................................................... 6
The Third Security Threat –Trojan Horse .............................................................................. 7
4.1
Introduction ..................................................................................................................... 7
4.2
Replication Strategies ..................................................................................................... 7
4.3
Trojan Horse Example - Sub7......................................................................................... 8
4.4
Solution ........................................................................................................................... 8
The Fourth Security Threat – Spyware ................................................................................... 8
5.1
Introduction ..................................................................................................................... 8
5.2
Replication Strategies ..................................................................................................... 9
5.3
Spyware Example - Bonzi Buddy ................................................................................. 10
5.4
Solution - Anti-spyware programs ................................................................................ 10
The Fifth Security Threat –Unauthorised Access ................................................................. 11
6.1
Introduction ................................................................................................................... 11
6.2
Solution – Access and User Right Control ................................................................... 11
The Sixth Security Threat – Interception .............................................................................. 14
7.1
Introduction ................................................................................................................... 14
7.2
Sniffer Example - Ace Password Sniffer ...................................................................... 14
7.3
Solution – IPSec, VPN and WEP (technical details are out-of-syllabus) ..................... 15
-1-
ASCA & ALCS Curriculum
SOHO Network Management and Security
- Security threats and measures
V1.1 17/05/2007
Author’s remarks
 Part of the materials in this set of handout is adapted from Wikipedia and Guide to
Networking Essentials (2nd edition) published by Course Technology.
 This set of materials is essentially developed by Chung, C.F. Jeffrey.
1
Introduction
In this reference, the common security threats to SOHO networks and some real examples
which can cause security threats are introduced. Suggestions for protecting systems from these
threats and data recovery will also be given.
As a SOHO network administrator, to keep the network safe and to keep the business
information and data with concerns to confidentiality, integrity and availability are his/her main
duties. Security threats not only damage computer hardware but also the most important asset of
a business – the business information and personal data. The resulting business loss can be huge
too.
2
2.1
The First Security Threat – Virus
Introduction
A computer virus is a type of program that can replicate itself by making (possibly modified)
copies of it. The main criterion for classifying a piece of executable code as a virus is that it
spreads itself by means of “hosts”. A virus can only spread from one computer to another when
its host is taken to the uninfected computer, for instance by a user sending it over a network or
carrying it on a removable media. Additionally, viruses can spread to other computers by
infecting files on a network file system or a file system that is accessed by another computer
such as file server’s files. Viruses are sometimes confused with worms. A worm, however, can
spread itself to other computers without needing to be transferred as part of a host.
A virus is a type of program created by some programmers called “virus writers”. Virus
writers can have various reasons for creating and spreading viruses. Viruses have been written as
research projects, pranks, vandalism, to attack the products of specific companies, to distribute
political messages, and to obtain financial gain from identity theft or spyware. Some virus
writers consider their creations to be works of art, and see virus writing as a creative hobby.
Therefore the damages causes by virus are mainly depending on the virus writer’s skill and wish.
Virus can damage computer files and systems, steal information from you and even damage your
computer hardware.
Viruses can infect different types of hosts. The most common targets are executable files that
contain application software or parts of the operating system. Viruses have also infected the
executable boot sectors of floppy disks, script files of application programs, and documents that
-2-
ASCA & ALCS Curriculum
SOHO Network Management and Security
- Security threats and measures
V1.1 17/05/2007
can contain macro scripts. Additionally, viruses can infect files in ways other than simply
inserting a copy of their code into the code of the host program. For example, a virus can
overwrite its host with the virus code, or it can use a trick to ensure that the virus program is
executed when the user wants to execute the (unmodified) host program. Viruses have existed
for many different operating systems, including MS-DOS, Mac OS and even Linux; however,
the vast majority of viruses affect Microsoft Windows.
2.2
Replication Strategies
In order to replicate itself, a virus must be permitted to execute code and write to memory.
For this reason, many viruses attach themselves to executable files that may be part of legitimate
programs. If a user tries to start an infected program, the virus’ code may be executed first.
Viruses can be divided into two types, on the basis of their behaviours when they get executed.
Non-resident viruses immediately search for other hosts that can be infected, infect these targets,
and finally transfer control to the application program they infected. Resident viruses do not
search for hosts when they are started. Instead, a resident virus loads itself into memory on
execution and transfers control to the host program. The virus stays active in the background and
infects new hosts when those files are accessed by other programs or the operating system itself.
Nonresident viruses can be thought of as consisting of a finder module and a replication
module. The finder module is responsible for finding new files to infect. For each new
executable file the finder module encounters, it calls the replication module to infect that file.
Here is a sample of viruses replicate task:
1.
2.
3.
4.
5.
6.
7.
8.
9.
Locate an unchecked executable file
Check if the executable file has already been infected (if it is, return to the finder module
of the virus)
Append the virus code to the executable file
Save the executable’s starting point
Change the executable’s starting point so that it points to the start location of the newly
copied virus code
Save the old start location to the virus in a way so that the virus branches to that location
right after its execution.
Save the changes to the executable file
Close the infected file
Return to the finder so that it can find new files for the virus to infect.
Resident viruses contain a replication module that is similar to the one that is employed by
non-resident viruses. However, this module is not called by a finder module. Instead, the virus
loads the replication module into memory when it is executed and ensures that this module is
executed each time the operating system is called to perform a certain operation. For example,
the replication module can get called each time the operating system executes a file. In this case,
the virus infects every suitable program that is executed on the computer.
-3-
ASCA & ALCS Curriculum
2.3
SOHO Network Management and Security
- Security threats and measures
V1.1 17/05/2007
Avoiding Detection (out of syllabus)
In order to avoid detection by users, some viruses employ different kinds of obfuscation.
Some old viruses, especially on the MS-DOS platform, make sure that the "last modified" date of
a host file stays the same when the file is infected by the virus. This approach does not fool antivirus software, however.
Some viruses can infect files without increasing their sizes or damaging the files. They
accomplish this by overwriting unused areas of executable files. These are called cavity viruses.
For example the CIH virus, or Chernobyl Virus, infects Portable Executable files. Because those
files had many empty gaps, the virus, which was 1 KB in length, did not add to the size of the
file.
Recent viruses avoid any kind of detection attempt by attempting to kill the tasks associated
with the virus scanner before it can detect them.
Here are some other methods to avoid detection by users or antivirus program:
1.
2.
3.
4.
5.
2.4
Stealth – Some viruses try to trick anti-virus software by intercepting its requests to the
operating system. The virus can then return an uninfected version of the file to the antivirus software, so that it seems that the file is “clean”.
Self-modification – Most modern antivirus programs try to find virus-patterns inside
ordinary programs by scanning them for called virus signatures. Some viruses employ
techniques that make detection by means of signatures difficult or impossible. These
viruses modify their code on each infection. That is, each infected file contains a
different variant of the virus.
Encryption with a variable key – A more advanced method is the use of simple
encryption to encode the virus. In this case, a virus scanner cannot directly detect the
virus using signatures. Fortunately, virus scanner can still detect the decrypting module,
which makes indirect detection of the virus possible.
Polymorphic code – Polymorphic code was the first technique that posed a serious threat
to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files
with an encrypted copy of itself, which is decoded by a decryption module. In the case of
polymorphic viruses however, this decryption module is also modified on each infection.
Metamorphic code – To avoid being detected by emulation, some viruses rewrite
themselves completely each time they are to infect new executables. Viruses that use this
technique are said to be metamorphic.
Virus Example – CIH
CIH, also known as Chernobyl or Spacefiller, is a computer virus written by Chen Ing Hau of
Taiwan. It is considered to be one of the most harmful widely circulated viruses, destroying all
information on users’ systems and in some cases overwriting the system BIOS. To accomplish
this, it overwrites the first megabyte (1024KB) of the hard drive with zeroes, beginning at sector
-4-
ASCA & ALCS Curriculum
SOHO Network Management and Security
- Security threats and measures
V1.1 17/05/2007
0. This often deletes the contents of the partition table, and may cause the machine to hang. Then
it will try to overwrite the Flash BIOS with junk also.
2.5
Solution – Anti-virus Software
To protect our system from virus, we must install anti-virus software to our system. Anti-virus
software consists of computer programs that attempt to identify, thwart and eliminate computer
viruses and other malicious software. To accomplish this, anti-virus software typically uses two
different techniques:
1. Examining (scanning) the contents of the computer’s memory (its RAM, and boot sector)
and the files stored on fixed or removable drives (hard drives, floppy drives), to look for
known viruses matching definitions (e.g. virus signatures) in a virus dictionary
2. Identifying suspicious behaviours from any computer program which might indicate
infection. Such analysis may include data captures, port monitoring and other methods.
Some anti-virus software can also warn a user if a file is likely to contain a virus based on the
file type; some antivirus vendors also claim the effective use of other types of heuristic analysis.
Some anti-virus programs are also able to scan opened files in addition to sent and received
emails “on the fly” in a similar manner. This practice is known as “on-access scanning”.
Anti-virus software does not change the underlying capability of host software to transmit
viruses. There have been attempts to do this but adoption of such anti-virus solutions can void
the warranty for the host software. Users must therefore update their software regularly to patch
security holes. Anti-virus software also needs to be regularly updated in order to gain knowledge
about the latest threats and hoaxes.
Anti-virus software examples include Norton Antivirus, McAfee and Sophos.
3
3.1
The Second Security Threat – Worm
Introduction
A computer worm is a self-replicating computer program, similar to a computer virus. A
virus attaches itself to, and becomes part of, another executable program; however, a worm is
self-contained and does not need to be part of another program to propagate itself. They are often
designed to exploit the file transmission capabilities found on many computers. In addition to
replication, a worm may be designed to do a number of things, such as delete files on a host
system or send documents via email. More recent worms may be multi-headed and carry other
executables as a payload. However, even in the absence of such a payload, a worm can cause
havoc just with the network traffic generated by its reproduction. Advanced worm, for example
Mydoom, can even cause a noticeable worldwide Internet slowdown at the peak of its spread.
-5-
ASCA & ALCS Curriculum
3.2
SOHO Network Management and Security
- Security threats and measures
V1.1 17/05/2007
Replication Strategies
In order to replicate itself, worm always install a backdoor in the infected computer, as was
done by Mydoom. These zombie computers are used by spam senders for sending junk email or
to cloak their website’s address. Spammers, person who sends “junk” e-mail messages, are
thought to pay for the creation of such worms, and worm writers have been caught selling lists of
IP addresses of infected machines, others try to blackmail companies with threatened denial-ofservice (DoS) attacks. The backdoors can also be exploited by other worms, such as Doomjuice,
which spreads using the backdoor opened by Mydoom.
3.3
Worm Example – Mydoom
Mydoom, also known as Novarg, Mimail.R and Shimgapi, is a computer worm affecting
Microsoft Windows. It was first sighted on January 26, 2004. It became the fastest spreading
email worm ever as of January 2004.
Mydoom is primarily transmitted via e-mail, appearing as a transmission error, with subject
lines including "Error," "Mail Delivery System," "Test" or "Mail Transaction Failed" in different
languages, including English and French. The mail contains an attachment that, if executed,
resends the worm to email addresses found in local files such as a user’s address book. Mydoom
also installs a backdoor on port 3127/tcp on the subverted PC to allow remote control by hackers
and establishes a denial of service attack against the website of the controversial company SCO
Group, timed to commence 1 February 2004.
3.4
Solution
Some commonly adopted measures to stop worms from spreading are as follows:
Anti-virus software – Anti-virus software can effectively identify, thwart and eliminate
computer worms. Please refer to previous section for more information.
Patch – Worm make use of bugs to spread. Operating System such as Windows needs to be
regularly patched in order to gain knowledge and fix the latest bugs.
Firewall – Firewall is a piece of hardware and/or software which functions in a networked
environment to prevent some communications forbidden by the security policy. Firewall
is also called a packet filter which means it does not allow packets to pass through the
firewall unless they match the rules. The firewall administrator may define the rules; or
default built-in rules may apply. A more permissive setup could allow any packet to pass
the filter as long as it does not match one or more “negative-rules”, or “deny rules”.
Modern firewalls can filter traffic based on many packet attributes like source IP address,
source port, destination IP address or port, destination service like WWW or FTP. They
can filter based on protocols, domain name of the source, and many other attributes.
-6-
ASCA & ALCS Curriculum
SOHO Network Management and Security
- Security threats and measures
V1.1 17/05/2007
Therefore, we can filter all the network packets and traffics which we don’t want including
the network packets created by worm. Hence we can successfully block worm, Trojan horse,
back door, unauthorised assess and DoS attack.
Examples of firewall are Norton Internet Security, ZoneAlarm.
4
4.1
The Third Security Threat –Trojan Horse
Introduction
Trojan horse, also known as Trojan, is a malicious program that is disguised as legitimate
software. The term is derived from the classical myth of the Trojan horse. In the siege of Troy,
the Greeks left a large wooden horse outside the city. The Trojans were convinced that it was a
gift, and moved the horse to a place within the city walls. It turned out that the horse was hollow,
containing Greek soldiers who opened the city gates of Troy at night, making it possible for the
Greek army to pillage the city. Trojan horse programs work in a similar way: they may look
useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually
harmful when executed.
Trojan horse programs cannot replicate themselves, in contrast to some other types of security
threats, like viruses or worms. A Trojan horse can be deliberately attached to otherwise useful
software by a cracker, or it can be spread by tricking users into believing that it is a useful
program. Trojan Horses often contain spying functions, such as a packet sniffer, or backdoor
functions that allow a computer, unknown to the owner, to be remotely controlled from the
network by hackers, creating a “zombie computer”, resulting in data loss, data stolen and system
damage.
It’s basic difference from computer viruses is that a Trojan horse is technically a normal
computer program and does not possess the means to spread itself. Originally Trojan horses were
not designed to spread themselves. They relied on fooling people to allow the program to
perform actions that they would otherwise not have voluntarily performed. Trojans of recent
times also contain functions and strategies that enable their spreading. This moves them closer to
the definition of computer viruses, and it becomes difficult to clearly distinguish such mixed
programs between Trojan horses and viruses.
4.2
Replication Strategies
As mentioned, Trojan horse programs cannot replicate themselves. So how a computer can be
infected? Here are some examples:
 Websites: You can be infected by visiting a rogue website. Internet Explorer is most often
targeted by makers of Trojans and other pests. Even using a secure web browser, such as
Mozilla's Firefox or Opera, if Java is enabled, your computer has the potential of receiving a
Trojan horse.
 Instant message: Many get infected through files sent through various messengers. This is
due to an extreme lack of security in some instant messengers, such of MSN messenger.
 E-mail: Attachments on e-mail messages may contain Trojans.
-7-
ASCA & ALCS Curriculum
4.3
SOHO Network Management and Security
- Security threats and measures
V1.1 17/05/2007
Trojan Horse Example - Sub7
Sub7, or SubSeven, is the name of a popular Trojan or backdoor program. It is mainly used by
script kiddies for causing mischief, such as hiding the computer cursor, changing system settings
or loading up pornographic websites. However, it can also be used for more serious criminal
applications, such as stealing credit card details with a keystroke logger.
Sub7 is usually stopped by antivirus software and a firewall, and with popular operating
systems providing these features built in, it may become less of a computer security problem.
In common with other backdoor programs, Sub7 is distributed with a server and a client. The
server is the program that victims must be enticed to run in order to infect their machines, and
the client is the program with a GUI that the cracker runs on his own machine to control the
server. Sub7 allows crackers to set a password on the server, theoretically so that once a machine
is owned; no other crackers can take control of it.
However, the Sub7 server also has a master password, allowing anyone who knows the
master password to take over the machine. In older versions, the master password is now known
to be 14438136782715101980 but this does not work on the most recent version.
4.4



5
5.1
Solution
Anti-virus software – Anti-virus software can effectively identify, thwart and eliminate
computer Trojan horse.
Firewall – can filter all the network packets and traffics which we don’t want including the
network packets created by worm. Hence we can successfully block worm, Trojan horse,
back door, unauthorised assess and DoS attack.
Precautions – Trojan horses can be protected against through end user awareness. If a user
does not open unusual attachments that arrive unexpectedly, any unopened Trojan horses
will not affect the computer. This is true even if you know the sender or recognize the
source’s address. Even if one expects an attachment, scanning it with updated antivirus
software before opening it is prudent. Files downloaded from file-sharing services such as
BT are particularly suspicious, because (P2P) file-sharing services are regularly used to
spread Trojan horse programs.
The Fourth Security Threat – Spyware
Introduction
Spyware covers a broad category of malicious software designed to intercept or take partial
control of a computer’s operation without the informed consent of that machine’s owner or
legitimate user. While the term taken literally suggests software that secretly monitors the user, it
has come to refer more broadly to software that subverts the computer’s operation for the benefit
of a third party.
-8-
ASCA & ALCS Curriculum
SOHO Network Management and Security
- Security threats and measures
V1.1 17/05/2007
Spyware differs from viruses and worms in that it does not usually self-replicate. Like many
recent viruses, however, spyware - by design - exploits infected computers for commercial gain.
Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements; theft of
personal information which including financial information such as credit card numbers,
monitoring of web-browsing activity for marketing purposes; or routing of HTTP requests to
advertising sites.
5.2
Replication Strategies
As mentioned, spyware programs cannot replicate themselves. Instead, spyware gets on a
system through deception of the user or through exploitation of software vulnerabilities.
The most direct route by which spyware can get on a computer involves the user installing it.
However, users are unlikely to install software if they know that it may disrupt their working
environment and compromise their privacy. So many spyware programs deceive the user, either
by piggybacking on a piece of desirable software, or by tricking the user to do something that
installs the software without realizing it. For example, Bonzi Buddy, a spyware program targeted
at children, claims that:
He will explore the Internet with you as your very own friend and sidekick! He can talk, walk,
joke, browse, search, e-mail, and download like no other friend you've ever had! He even has the
ability to compare prices on the products you love and help you save money! Best of all, he's
FREE!
Spyware can also come bundled with shareware or other downloadable software, as well as
music CDs. The user downloads a program such as a music program or a file-trading and installs
it; the installer additionally installs the spyware. Although the desirable software itself may do no
harm, the bundled spyware does. In some cases, spyware authors have paid shareware authors to
bundle spyware with their software. In other cases, spyware authors have repackaged desirable
software with installers that add spyware.
A third way of distributing spyware involves tricking users by manipulating security features
designed to prevent unwanted installations. The security features of the design of the Internet
Explorer web browser militate against allowing Web sites to initiate an unwanted download.
Instead, a user action, such as clicking on a link, must normally trigger a download. However,
links can prove deceptive: for instance, a pop-up ad may appear like a standard Windows dialog
box. The box contains a message such as "Would you like to optimize your Internet access?"
with links which look like buttons reading “Yes” and “No”. No matter which “button” the user
presses, a download starts, placing the spyware on the user’s system.
-9-
ASCA & ALCS Curriculum
5.3
SOHO Network Management and Security
- Security threats and measures
V1.1 17/05/2007
Spyware Example - Bonzi Buddy
Figure 1. Bonzi Buddy’s user interface.
Bonzi Buddy is an on-screen software agent from BONZI Software. It is a well-known
example of spyware, with computer speed, privacy and ease of use all affected by installing the
program. When someone installs Bonzi Buddy, his or her homepage gets set to www.bonzi.com.
Bonzi Buddy can be installed automatically without user knowledge or consent via an
ActiveX object in Internet Explorer.
The user interface is a purple ape who swings across the screen. The ape tells jokes, reads
facts, sings songs, checks the user's e-mail, and delivers voice advertisements. The interface used
to be a green parrot; the interface was later changed to the ape interface. Children often install
Bonzi Buddy, seeing the program as a fun toy instead of as an advertising program.
5.4
Solution - Anti-spyware programs
Many programmers and commercial firms have released products designed to remove or
block spyware. Anti-spyware programs can combat spyware in two ways: real-time protection,
which prevents spyware from being installed and scanning and removal of spyware. Scanning
and removal is usually simpler, and so many more programs have become available which do so.
The program inspects the contents of the Windows registry, the operating system files, and
installed programs, and removes files and entries which match a list of known spyware
components. Real-time protection from spyware works identically to real-time anti-virus
protection: the software scans incoming network data and disk files at download time, and blocks
the activity of components known to represent spyware. In some cases, it may also intercept
attempts to install start-up items or to modify browser settings. Anti-spyware program needs to
be regularly updated in order to gain knowledge about the latest spywares.
An anti-spyware program example is Lavasoft's Ad-Aware.
- 10 -
ASCA & ALCS Curriculum
6
6.1
SOHO Network Management and Security
- Security threats and measures
V1.1 17/05/2007
The Fifth Security Threat –Unauthorised Access
Introduction
Through its authorization service, an operating system protects computer resources by only
allowing resource consumers that have been granted authority to use them. Examples of
resources are individual files or data items, computer programs, computer devices and
functionality provided by computer applications. Examples of consumers are computer users,
computer programs and other devices on the computer.
So why do we need authorization to access various sorts of resources? Simply put, we may
not want expensive computer resources, such as colour laser printers, being accessed by
everyone. We do not want our intranet which contains internal information be accessed by public
and we do not want our students be allowed to install software in the school network, etc.
6.2
Solution – Access and User Right Control
Access and user right control includes authentication, authorization and audit. Those means
can be implemented through the use of biometric scans, metal locks, digital signatures,
encryption, and monitoring (by humans and automated systems), etc.
Authorization may be implemented using role based access control, access control lists. RoleBased Access Control (RBAC) is an approach to restricting system access to authorized users.
Within an organization, roles are created for various job functions. The permission to perform
certain operations or permissions are assigned to specific roles. Members of staff, or other
system users, are assigned particular roles, and through those role assignments acquire the
permissions to perform particular system functions.
Since users are not assigned permissions directly, but only acquire them through their role(s),
management of individual user rights becomes a matter of simply assigning the appropriate roles
to the user (see Figure 2), which simplifies common operations such as adding a user, or
changing a user's department.
Figure 2. Example of role based access control.
- 11 -
ASCA & ALCS Curriculum
SOHO Network Management and Security
- Security threats and measures
V1.1 17/05/2007
Access control list (ACL) is a list used to enforce privilege separation. It is a means of
determining the appropriate access rights to a given object depending on certain aspects of the
process that is making the request, principally the process’s user identity.
The list is a data structure, usually a table, containing entries that specify individual user or
group rights to specific system objects, such as a program, a process, a file or a directory. Each
accessible object contains an identifier to its ACL. The privileges or permissions determine
specific access rights to the object, such as read from, write to or execute an object. Figure 3
shows the access control list for a file (“bob.gif”) in MS Windows.
Figure 3. Example of access control list.
The difference between ACL and RBAC is that RBAC is used in traditional discretionary
access control systems in that it assigns permissions to specific operations with meaning in the
organization, rather than to low level system objects. The assignment of permission to perform a
particular operation is meaningful, because the operations are fine grained and themselves have
meaning within the application.
Authentication concerns ways to ensure users are who they say they are and who attempts to
perform functions in a system is in fact the user who is authorized to do so.
- 12 -
ASCA & ALCS Curriculum
SOHO Network Management and Security
- Security threats and measures
V1.1 17/05/2007
If a computer system is supposed to be used only by those authorized users, it must be able to
detect and exclude any unauthorized usage. Access to the computer system is usually controlled
by an authentication procedure to establish with some degree of confidence the identity of the
user, thence granting those privileges as may be authorized to that identity. To accomplish this,
authentication, such as user login, biometric scans and digital signatures must be implemented.
User login – users using their own login name, password and even biometric scans such as finger
print to login into the system and identify themselves. Hence suitable authorization and
permission will be granted depends on their identity.
Digital signatures – is a type of method for authenticating digital information analogous to
ordinary physical signatures on paper, but implemented using techniques from the field of
public-key cryptography. A digital signature method generally defines two complementary
algorithms, one for signing and the other for verification, and the output of the signing
process is also called a digital signature. Digital signature’s public-key cryptosystems allow
anybody to identify themselves and sending message using the public key. A signature
allows the recipient of a message to be confident that the sender is indeed who he or she
claims to be. Hence suitable authorization and permission will be granted depends on their
identity.
The public-key cryptography which digital signature is using is a form of cryptography which
generally allows users to communicate securely without having prior access to a shared secret
key, by using a pair of cryptographic keys, designated as public key and private key, which are
related mathematically. In public key cryptography, the private key is generally kept secret,
while the public key may be widely distributed. In a sense, one key “locks” a lock; while the
other is required to unlock it. It should not be possible to deduce the private key of a pair given
the public key.
The most obvious value of a public key encryption system is confidentiality; a message which
a sender encrypts using the recipient’s public key can only be decrypted by the recipient’s paired
private key.
Public-key digital signature algorithms can be used for sender authentication. For instance, a
user can encrypt a message with his own private key before sending it. If another user can
successfully decrypt it using the corresponding public key, this provides assurance that the first
user (and no other) sent it.
These characteristics are useful for many other applications, like digital cash, passwordauthenticated key agreement, multi-party key agreement, etc.
Audit – audit trail is a record of transactions or communications related to a single person,
account or other entity (see Figure 4). It shows who has accessed a computer system and what
operations he or she has performed during a given period of time. To keep an audit trail, we can
make use of the audit function provided by the operating system or some audit software.
- 13 -
ASCA & ALCS Curriculum
SOHO Network Management and Security
- Security threats and measures
V1.1 17/05/2007
Figure 4. Example of audit trail.
7
7.1
The Sixth Security Threat – Interception
Introduction
Interception means someone intercept the network packet in the middle of the network during
the packet transmitting process. The one who intercepted the packet can read, delete or even
retransmit after editing the message in the packet or the packet itself. This is a serious threat to
data security.
To accomplish interception, we can make use of some software programs or computer
hardware called sniffer. They can intercept and log traffic passing over a computer network. As
data stream back and forth over the network, the sniffer captures each packet and eventually
decodes and analyzes its content according to the corresponding specifications. Besides wired
sniffer, we also have wireless sniffer. A wireless sniffer captures the packets sent from a
computer through the computer’s wireless network card to an access point or another computer.
It captures these packets as raw data with the packet information header.
7.2
Sniffer Example - Ace Password Sniffer
Ace Password Sniffer is a powerful password sniffer and password monitoring utility. Ace
Password Sniffer can listen on LAN and capture passwords of any network user. Currently Ace
- 14 -
ASCA & ALCS Curriculum
SOHO Network Management and Security
- Security threats and measures
V1.1 17/05/2007
Password Sniffer can monitor and capture passwords through FTP, POP3, HTTP, SMTP, and
Telnet, etc. Figure 5 gives a snapshot of the running of the software.
Figure 5. Password sniffer.
7.3
Solution – IPSec, VPN and WEP (technical details are out-of-syllabus)
To avoid data being eavesdropped during transmission, data can be encrypted before
transmission so that any intercepted data cannot be interpreted easily.
For wireless radio network like IEEE-802.11g, we may use Wired Equivalent Privacy (WEP),
one of the schemes to achieve a secure wireless networks in a certain degree. WEP was intended
to provide comparable confidentiality to a traditional wired network, hence the name.
- 15 -
ASCA & ALCS Curriculum
SOHO Network Management and Security
- Security threats and measures
V1.1 17/05/2007
WEP is part of the IEEE 802.11 standard ratified in September 1999. WEP uses the stream
cipher RC4 (see http://en.wikipedia.org/wiki/RC4_cipher for an introduction of RC4) for
confidentiality and the CRC-32 checksum for integrity.
Note that in 2001, a research revealed the encryption key in RC4 could be discovered by
analyzing large number of messages encrypted with this key. This in turn becomes a potential
weakness in WEP. A more secured scheme for encrypting data transmitted over a radio network
is wi-fi protected access (WPA and WPA2).
For wired network, we can use IP security (IPSec). IPSec is a set of cryptographic protocols
for securing Internet Protocol (IP) communications by encrypting and/or authenticating all IP
packets. There are two IPSec components, they are Encapsulating Security Payload (ESP) which
provides authentication, data confidentiality and message integrity, and Authentication Header
(AH) which provides authentication and message integrity, but does not offer confidentiality.
Originally AH was only used for integrity and ESP was used only for encryption; authentication
functionality was added subsequently to ESP.
To achieve additional security, we can use Virtual Private Network (VPN). VPN use
tunnelling protocols to provide the necessary confidentiality (preventing snooping), sender
authentication (preventing identity spoofing), and message integrity (preventing message
alteration) to achieve the privacy intended. When properly chosen, implemented, and used, such
techniques can provide secure communications over unsecured networks. Because such choice,
implementation and use are not trivial, there are insecure VPN schemes on the market. One
secure VPN implementation uses Layer 2 Tunnelling Protocol and IPSec together (L2TP/IPSec).
So far, no one can intercept the transmitting data packet in a L2TP/IPSec VPN connection.
- 16 -