Web Security: Would you say you are at Danger?.


101 views
Uploaded on:
Description
Web Security: Would you say you are at Danger?. Dan Massey Colorado State College November 10, 2004. Some Inspiration.
Transcripts
Slide 1

Web Security: Are You at Risk? Dan Massey Colorado State University November 10, 2004

Slide 2

Some Motivation The approaching cost for utilization of a system of 20,000 zombie PCs : $2,000 to $3,000. Such systems commonly are utilized to telecast spam and phishing tricks and to spread email infections composed basically to make yet more zombies .

Slide 3

Vulnerabilities and Counter Measures Vulnerabilities: Why Should You Care You Receive The Resulting Spam Email An inconvenience in the event that you basically channel or erase the email A genuine issue on the off chance that you trust it and uncover private information. You May Be The Owner of a Zombie PC Essentially a PC where assailants have obtained entrance. Flourishing business sector exists for traded off system PCs You Rely on Network Based Services Bank ATMs, aircrafts, utilities, and so forth all make utilization of systems Compromised PCs can be utilized to disturb organizes or cover the personality of assailants. Counter Measures: What components help ensure you?

Slide 4

Historical Development Internet Originally a Small Research Project Few PCs at examination focuses Connected by means of moderate (by today’s standard) interfaces All clients are specialists on the framework First genuine “killer application”: email Planned for Some “Security” Concerns The primary “threat” was that PCs or system connections may quit working.

Slide 5

Early “Security” Problems Rare Cases of Malfunctioning Computers Computer at MIT broke down and most east drift PCs could no more achieve the west drift. Arrangement: client group collaborated to discover and fix the issue. Uncommon Cases of Application Misuse Someone sent an email message reporting another item that was available to be purchased. Arrangement: group educated the sender to never again send “spam” email and the sender apologized

Slide 6

Spam Email Today From: PowerSafe@citibank.com We as of late saw one or more endeavors to sign into your Citibank account from an outside IP location and we have motivations to trust that your record was utilized by an outsider without your approval. On the off chance that you as of late got to your record while setting out to Brasil, the strange login endeavors may have been started by you. …<visit some site that will request record data>… If you decide to disregard our solicitation, you abandon us no decision yet to transiently suspend your record.

Slide 7

Countering This Attack Solution 1: Block Email Before It Enters the Network Great Deal of Ad Hoc Work In This Area But difficult to control all entrance focuses and frequently square substantial email as blow-back. Arrangement 2: Drop Email Before It Reaches Receiver Hard to focus legitimate versus invalid senders Solution 3: Drop or Ignore the Message at Receiver The main barrier that will spare me for this situation. In any case, luckily we have a strong solution…

Slide 8

Cryptographic Counter Measures The Solution: Cryptographic Magic Happens Citibank sets up a key pair Private key is known just by Citibank Public key is distributed and known by all Enables Secure Communication with Citibank I encode my record number utilizing the Citibank open key. Send scrambled information to the requestor Only somebody with the private key can decode. Result: Attacker just gets an encoded wreckage No requirement for you or Citibank to stress over this email.

Slide 9

Does This Work in Practice? Do You Encrypt Confidential Data Using Public Key Cryptography? From My Bank’s Website: At (BigBank), guaranteeing the security of your online data is vital to us, and that is the reason you can rest guaranteed that nobody however Wells Fargo has admittance to your data. Marking on to see your records from the (BigBank) Home Page is sheltered. The minute you tap the Sign On catch, your username and secret word are encoded utilizing Secure Sockets Layer (SSL) innovation , keeping your data secure.

Slide 10

Your Role in the System in principle, we have settled the problem…. The Problem: Cryptographic Magic Happens Several Important Assumptions About You will just send information over scrambled channels. You will acquire the right Public Key for Citibank You will scramble information with the right key . No point scrambling your information with the attacker’s key! By and by, the framework truly depends on you disregarding the email message. Generally Citibank and you share the harms.

Slide 11

Internet Risks So Far Attackers Seek Your Private Data Your occupation is to secure this data Defense 1: I’m sufficiently shrewd to disregard spam email Ideally in light of the fact that you know the aggressor doesn’t have the privilege x509 authentication. Resistance 2: I pick hard to break passwords and change them. Protection 3: I’m an understudy and my financial balance is as of now exhaust. You are most likely more profitable as a Zombie!

Slide 12

Compromised PCs Network PCs are an important item Provides assailants with assets (cpu, circle) Makes following aggressors troublesome Enable Distributed Denial of Service Attacks Real and Thriving Market in Hacked PCs Network Security Discussion from NANOG: One issue programmers face: “Botnets (traded off PC accumulations) contain an excess of government computers”

Slide 13

How Can this Happen From “Secrets and Lies” by Schneier (every old issue so don’t attempt them!) Under specific conditions, a contorted clasp workmanship document can let self-assertive code execute on the clients PC. MS Explorer 5.0 permits an assailant to setup a Web page giving him the capacity to execute any project on a visitor’s machine. Vulnerabilities in complex programming an unavoidable. Framework Relies on You to Install Updates

Slide 14

Impact of Compromised PCs A visit from the FBI By Scott Granneman, SecurityFocus Posted: 28/01/2004 at 13:02 GMT A most loved trap is to surreptitiously turn on the Webcam of a possessed PC so as to watch the hoodwink at work, or watch what he\'s writing on screen. This part isn\'t amazing. Be that as it may, Dave had innumerable screenshots, caught from seized machines or procured online from programmer home bases, where the script kiddie, in the wake of looking for some time, just can\'t help himself any more, and begins to affront or ridicule or screw with the hoodwinked proprietor. <snip> A man was working a crossword riddle online when the programmer accommodatingly proposed a word for 14 Down

Slide 15

Impact of Compromised PCs More Serious (non-webcam) Consequences Attacker has entry to your documents Logs your keystrokes Gains information about you Real Goal is Likely Something Larger Your PC gives the aggressor a concealing spot Provides assets Provides data transfer capacity

Slide 16

Distributed Denial of Service Attackers Control Massive Resources Networks of 100,000+ traded off PCs Each PC can send a huge number of messages/sec What if one coordinates all messages at sear website? Case: aggressor chooses www.colostate.edu as target Direct all zombies to send information to focus as quick as could reasonably be expected Consumes every accessible asset at focus on No data transfer capacity, no CPU, and so forth to handel substantial solicitations. How Do You Defend Against This? Answer today: to a great extent specially appointed separating

Slide 17

DDoS Remains a Real Threat Akamai DDoS Attack Whacks Web Traffic, Sites By Chris Gonsalves June 15, 2004 An evident DDoS (dispersed disavowal of administration) assault on the DNS keep running by Akamai Technologies Inc. hindered activity over the Internet early Tuesday and brought the association\'s destinations significant clients to a sudden end for about two hours.

Slide 18

Slammer Worm After 30 Minutes (chart by CAIDA)

Slide 19

Worms and Network Design Assumed there is some imperative reason for the correspondence Ex: information and assets utilized as a part of figurings to discover a cure for malignancy. Asset Identification Success Found and made utilization of 75K PCs on 6 landmasses Located 90% of accessible assets in 10 minutes Routing and Transport Success UDP transport gave fruitful basic best exertion conveyance Network directing conveyed parcels starting with one end of globe then onto the next Of Course Some Challenges Still Remain…. Unexpected cooperations brought about scratched off carrier flights, ATM failures… to adventure a known microsoft security gap these 75K would not have liked to give assets!

Slide 20

Network Security Today Designed a Robust Network That Finds a Way to Deliver Data Now perceive some information shouldn’t be conveyed. Solid Theoretical Models To Block Attacks But commonly accept master arrangement and educated clients. Open Research Challenge: Build Robust and Secure Networks That Survive Both Failures and Attacks

Slide 21

Challenges To You Network Security Depends On You Use security models when conceivable Update and patch your PC Help Us Build the Necessary Systems Need methodologies the apply cutting edge arithmetic and software engineering. Be that as it may, should likewise accept huma

Recommended
View more...