1 / 34

Lesson 13 Security Tricks

Lesson 13 Security Tricks. The Government and You. Access to cryptographic keys Carnivore USA Patriot Act. Govt Control of Cryptography. Key Escrow 1993: Govt has pushed idea of Govt control/access to cryptographic keys Legally used to thwart crime GAK: Government Access to Keys

breena
Télécharger la présentation

Lesson 13 Security Tricks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lesson 13Security Tricks

  2. The Government and You • Access to cryptographic keys • Carnivore • USA Patriot Act

  3. Govt Control of Cryptography • Key Escrow • 1993: Govt has pushed idea of Govt control/access to cryptographic keys • Legally used to thwart crime • GAK: Government Access to Keys • GAK Systems have a backdoor • Infrastructure Is much harder than PKI

  4. Recent Event

  5. Carnivore

  6. Computer Network Monitoring • Port Scanning • Keystroke Monitoring • Packet sniffers • takes advantage of “friendly” nature of net. • Grabs packets not destined for system • used by • hackers • sysadmins • Law enforcement agencies

  7. Sniffing • Sniffers are programs or HW devices that monitor (“listen in to”) traffic flowing across a network. • They can pull in all packets or be selective and only grab packets destined for certain addresses or that carry a certain type of traffic • For a sniffer to work correctly, it needs to view all of the traffic going across a network. Thus, it must be on internal network or on main connection into/out of a network.

  8. IP Packet 4 8 16 19 32 Version Length Type of Srvc Total Length Identification Flags Fragment Offset Time to live Protocol Header Checksum Source Address Destination Address Options Data

  9. SnifferPro

  10. SnifferPro

  11. TCP packet 4 8 16 32 Source Port Destination Port Sequence Number Acknowledgement Number Unused U A P R S F R C S S Y I G K H T NN Window Data offset Checksum Urgent Pointer Options Padding Data

  12. NetXray

  13. Defeating Sniffer Attacks • Detecting and Eliminating Sniffers • Possible on a single box if you have control of the system • Difficult (depending on OS) to impossible (if somebody splices network and adds hardware) from network perspective • Safer Topologies • Sniffers capture data from network segment they are attached to, so – create segments • Encryption • If you sniff encrypted packets, who cares? • (outside of traffic analysis, of course)

  14. Passwords • The problem with passwords is that people don’t always pick good ones. Passwords cracked from a sample set of 13,797 Number of Type of password Matches Percentage User/account name 368 2.7% Common names 548 4.0% Female Names 161 1.2% Male Names 140 1.0% Phrases & Patterns 253 1.8% Dictionary word 1027 7.4% Machine names 132 1.0% Science fiction 59 0.4% a total of 3340 passwords guessed From: Network and Internetwork Security by Stallings

  15. Passwords used in Morris Worm

  16. Rules for passwords • Don’t pick an easy one to guess • mix upper and lower case, add special characters • at least 6 characters in length, 8 better • maybe use pass-phrases instead • Don’t write it down • Change it on a regular basis (but not too often) • If you’re the sysadmin, run a password cracker periodically. • If one-time passwords are possible, consider using them (they have their own problems though)

  17. Password Management • Password management issues • Default accounts • Easily guessed or cracked passwords • Unpassworded accounts • Shared accounts • Password aging • Password policy enforcement • Password auditing • Audit frequency • Control access to results

  18. Cracking Passwords

  19. Steganography

  20. Steganography • Literally means “covered writing” • The practice of hiding a message in such a manner that its very existence is concealed. • Done by embedding the message in some medium such as a document, image, sound recording, or video. • Those who know the medium contains a message can extract it. • For those who don’t know about it, the message will be completely invisible. • Related concept is digital “watermarking”

  21. Steganography -- historical examples • In the Histories of Herodotus • Demaratus wanted to notify the Spartans that Xerxes planned to invade Greece. He had the wax scraped off of writing tablets, the message carved into the wood, then recovered with the wax. The message was thus hidden. • Shave the head of a messenger, tattoo the message on his head, let his hair grow back. • Codes, invisible ink, microdots

  22. Encoded messages • “Pershing sails from N.Y. June 1” • Example: President’s embargo ruling should have immediate notice. Grave situation affecting international law, statement foreshadows ruin of many neutrals. Yellow journals unifying national excitement immensely.

  23. Hiding images in files • Takes advantage of coding scheme • For pictures, each pixel represented by 1 or more bytes. • If the least significant bit is used to encode the message, small variations in the picture may occur but the message will be hidden inside. • A 400 x 300 image will have 120,000 pixels thus • if 8 bit coding scheme (256 colors) 120,000 bits of coded message can be encrypted or 15,000 bytes (characters). • If RGB scheme used with 3 bytes/pixel (one for each color RGB) even more data can be hidden since the resulting file is much larger.

  24. Steganography 111 000 000 000 111 000 111 000 111 000 000 000 111 000 000 000 111 000 111 000 111 000 000 000 111 111 000 000 000 111 000 111 000 111 000 000 000 111 000 000 000 111 000 111 000 111 000 000 000 111 CAB = 01000011 01000001 01000010 8 shades of gray 000 001 010 011 100 101 110 111

  25. Steganography 111 000 000 000 111 000 111 000 111 000 000 000 111 000 000 000 111 000 111 000 111 000 000 000 111 CAB = 0 1 0 0 0 0 1 1 0 1 0 0 0 0 0 1 0 1 0 0 0 0 1 0 Original = 111 000 000 000 111 000 111 000 111 000 000 000 111 000 000 000 111 000 111 000 111 000 000 000 111 Hidden = 110 001 000 000 110 000 111 001 110 001 000 000 110 000 000 001 110 001 110 000 110 000 001 000 111 8 shades of gray 000 001 010 011 100 101 110 111

  26. Steganography Hidden = 110 001 000 000 110 000 111 001 110 001 000 000 110 000 000 001 110 001 110 000 110 000 001 000 111 110 001 000 000 110 000 111 001 110 001 000 000 110 000 000 001 110 001 110 000 110 000 001 000 111 original hidden original 8 shades of gray 000 001 010 011 100 101 110 111

  27. Example (hideseek on gif file) Original Version with hidden text Text: “This is a MacGregor 26X.”

  28. Example (hideseek on gif file) Original Version with hidden text Text: “This is a MacGregor 26X under power. Cool looking boat with lots of neat features. Uses water ballast system so very easily trailered. This also results in an extremely shallow draft so it can be easily beached..”

  29. Example (PGE on jpg file) Original Picture with hidden text Text: “A sample text to hide.”

  30. Example (PGE on jpg file) Original Picture with hidden text Text: “A sample text to hide. This is a larger file to hide. The photo is cool, how did that car get underneath the jet in the first place?”

  31. Example (Hide4pgp with wav) Original Wav file with hidden text Text: “An example of text hidden in a sound file.”

  32. Steganography (TextHide)

  33. Steganography (TextHide) Lets Go Home

  34. Watermarks • First of all, why worry? • There are some legitimate concerns but often there are many other easy ways to conceal/capture info. • Detection • Watermarks harder than complete stego images • Any manipulation of image introduces distortion • Changes between colors rarely occur in 1-bit shifts • (not true of gray-scale) • one way to foil is to use color palettes that change dramatically with 1-bit shifts

More Related