Basic Computer Security for Higher Education Outline

Transcription

Basic Computer Security for Higher Education Outline
Basic Computer Security for
Higher Education
Dr. Kara L. Nance
ASSERT Center
University of Alaska Fairbanks
Outline
Introduction
Overview of Computer Security
Email Security
Password Safety
What You Can Do
1
University of Alaska – Computer Science
ABET Accredited
Computer Science
Program.
B.S., M.S., M.S.E.
Diverse faculty research
expertise with emphasis
on
– Information Assurance
– Computer Graphics
Advanced System Security Education, Research,
and Training (ASSERT) Lab
Computer Forensics
Information Assurance
Computer Security
Authentication
Networks
Honeypots
Virus and Worm Behavior
Social Engineering
Critical Infrastructure
Sensor Webs
Education/Outreach
www.assert.uaf.edu
2
Outline
Introduction
Overview of Computer Security
Email Security
Password Safety
What You Can Do
What does secure mean?
When we have a valuable asset, we want to
protect it so that:
– Those who should have access to the asset are
actually able to access it.
– Those who should not have access to the asset are
unable to access it.
3
What does secure mean?
For example, consider your bank account.
– You want to be able to withdraw money from your
account.
– You don’t want anyone else to be able to withdraw
money from your account.
What does secure mean?
We have similar concerns in the
computing realm:
– You want to be able to create, read, and modify your
files on the institution’s file server.
– You want your coco-worker, Bob, to be able to read
your files on the institution’s file server.
– You don’t want anyone else to be able create, read,
or modify your files on the institution’s file server.
4
What does secure mean?
For computer systems, we may want to secure
assets such as:
– Resources including equipment, network bandwidth,
CPU cycles, disk space, etc.
– Data such as database contents, files, email
messages, etc.
What does secure mean?
Computer systems tend to be:
– Complex – lots of components, including hardware,
software, users, and data.
– Dynamic – frequently changing, due to upgrades,
patches, adding and removing users, and changing
data.
The result is that securing computer systems is
a difficult problem, and any solution must be
continually rere-evaluated as the system changes.
5
10 Immutable Laws of Security
Law #1: If a bad guy can persuade you to run his program on your computer, it's
not your computer anymore
Law #2: If a bad guy can alter the operating system on your computer,
computer, it's not
your computer anymore
Law #3: If a bad guy has unrestricted physical access to your computer,
computer, it's not
your computer anymore
Law #4: If you allow a bad guy to upload programs to your website,
website, it's not your
website any more
Law #5: Weak passwords trump strong security
Law #6: A computer is only as secure as the administrator is trustworthy
trustworthy
Law #7: Encrypted data is only as secure as the decryption key
Law #8: An out of date virus scanner is only marginally better than
than no virus
scanner at all
Law #9: Absolute anonymity isn't practical, in real life or on the
the Web
Law #10: Technology is not a panacea
LOOKAT: http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx
http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx
Attacks – Poorly Designed Programs
13 year old deletes files; none of his actions were
unauthorized March 2004 [ North Ridgefield, OH] –
A 13 year old deleted numerous files from a district’s electronic
electronic
reading program. He was suspended and the case was referred
to the police. Although he was accused of hacking, several
people pointed out that the program was poorly designed and
allowed the deletions to take place without any unauthorized
intrusions. They also pointed out that the district was negligent
negligent
for not having backup copies of the files on a separate server.
LOOKAT: http://securedistrict.cosn.org/admin/stories.html#2004Dartmouth
(CyberSecurity for the Digital District)
6
Attacks – Poor Password “Placement”
Stolen Password Used To Change Grades
April 2004 [Broward County, FL]
Two students were suspended after admitting to
using a password stolen from a teacher’s computer to
break into the school server and run a small business
charging $5 to change students’ grades.
LOOKAT: http://securedistrict.cosn.org/admin/stories.html#2004Dartmouth
(CyberSecurity for the Digital District)
Attacks - Equipment
KeyKatcher Used On School Machines
January 2004 [Saratoga, CA]
A group of high school students installed “keykatcher
“keykatcher”” devices
on several school computers and captured teacher passwords
which they used to access school systems to steal tests and
answers. The device costs less than $100 and is about the size
of a AA battery. It is installed between the keyboard and the
computer. It went unnoticed in teachers' classrooms. “We've
only found one KeyKatcher on campus,'' Principal Kevin Skelly
said. “But we know there's more out there.” The keykatcher
exploit was accidentally discovered in the process of
investigating two other incidents: a math student who broke into
a school computer and tried to change a grade, and two
students who stole a printed test and saved electronic copies.
LOOKAT: http://securedistrict.cosn.org/admin/stories.html#2004Dartmouth
(CyberSecurity for the Digital District)
7
Attacks – Social Engineering and Poor
Password Choice
Scam to change grades: So simple, so effective ... so stupid
Nick Farrell, vnunet.com 17 Jul 2002
A student at the University of Delaware has appeared in court charged
charged with
breaking into the university's computer systems to change her grades.
grades.
Darielle Insler made phone calls to the technical support teams in which
she impersonated her teachers and requested a new password. She
used the password to get into her personal files and change her
grades.
She also was able to guess at least one professor’s password.
Campus police say she allegedly changed her grades in math and science
science
classes from Fs to As. And police say she changed an 'incomplete'
'incomplete' to a
passing grade in an education class.
Police stated that the plan was simple and very effective at gaining
gaining access
to key systems. "It's the easier way, because you don't really need
need the
computer expertise or knowknow-how, instead of handling the computer,
you're handling the people."
LOOKUP: http://cnnstudentnews.cnn.com/2002/fyi/teachers.ednews/07/17/university.hacker.ap/
http://cnnstudentnews.cnn.com/2002/fyi/teachers.ednews/07/17/university.hacker.ap/
Types of Threats
Interception
– For example, a final exam is read by a student as
the instructor emails it from his home computer to
his office account.
Interruption
– For example, students cannot register because
the registration website because the servers are
experiencing a DenialDenial-ofof-Service attack.
8
Types of Threats
Modification
– For example, messages between “select” senior
faculty members are changed by the Bob during
transmission (“Bob’s tenure evaluation meeting
begins at 8:00” becomes “Bob’s tenure evaluation
meeting begins at 10:00”).
Fabrication
– For example, an ‘A’ student receives a fake
message from a professor that an exam has been
cancelled.
Method, Opportunity, and Motive
An attacker needs a method, an opportunity,
and a motive.
Methods are increasingly widely available to
even unskilled computer users. Scripts and
programs that can be used to exploit
vulnerabilities are widely available on the
Internet, so that an attacker need only
download and run a program to perform an
attack.
9
Method, Opportunity, and Motive
Opportunities are far more widely available.
Since almost all computer systems have
some kind of network connection, physical
access to the computer system is rarely
needed.
Motives are many and widely varied, and
include profit, intellectual curiosity, challenge,
revenge, personal advancement, etc.
Computer Security Goals
Confidentiality – Student exam results can
only be read by Professor X and the student.
Integrity – Grades can only be changed by
Staff Member A.
Availability – Student B’s Unofficial Transcript
is available to (and can be accessed by)
Advisor X and Student B at all times.
10
Vulnerabilities
Hardware
– Includes damage to hardware, caused
deliberately or accidentally.
– Theft and alteration of the hardware is also
a major problem – installation of a
keystroke logger, for example.
Vulnerabilities - Hardware
The brazen airport computer theft that has Australia's antianti-terror
fighters up in arms
By Philip Cornford
September 5, 2003
On the night of Wednesday, August 27, two men dressed as computer
computer technicians and carrying
tool bags entered the cargo processing and intelligence centre at
at Sydney International
Airport. The men, described as being of PakistaniPakistani-IndianIndian-Arabic appearance, took a lift to
the third floor of the Charles Ulm building on Link Road, next to
to the customs handling depot
and the Qantas Jet Base.
They presented themselves to the security desk as technicians sent
sent by Electronic Data Systems,
the outsourced customs computer services provider which regularly
regularly sends people to work
on computers after normal office hours. After supplying false names
names and signatures, they
were given access to the toptop-security mainframe room. They knew the room's location and
no directions were needed.
Inside, they spent two hours disconnecting two computers, which they put on trolleys and
wheeled out of the room, past the security desk, into the lift and
and out of the building.
LOOKAT: http://www.smh.com.au/articles/2003/09/04/1062548967124.html
11
Vulnerabilities
Software
– Includes the addition, modification, deletion, or
misplacement of software on a system, and again
may be caused deliberately or accidentally.
– For example, an attacker may attempt to add FTP
server software to a computer, in order to provide
a location for illegal files to be traded anonymously
online.
Vulnerabilities
Data
– Data can be deleted, modified, or revealed
to unauthorized users, and again this
cause may be deliberate or accidental.
– For example, email can typically be
intercepted, modified, or deleted with ease
by a malicious user with access to the
network.
12
Methods of Defense
Remember that attackers are often
successful when they do the
unexpected – don’t expect them to
behave like typical users, or attack
where your defenses are strongest!
Outline
Introduction
Overview of Computer Security
Email Security
Password Safety
What You Can Do
13
Basic Email
Email has become an incredibly popular method
of communication, but it was not designed with
security in mind.
Basic Email
In its most basic form, email suffers from at least
two very basic drawbacks
– The content is usually not encrypted, thus anyone
who intercepts the message as it travels from the
sender to the recipient(s) can read/modify the
message.
– The sender is not authenticated. This means that
when a recipient receives a message, he/she cannot
be sure who sent it.
14
Basic Email
A postcard is a much better analogy for email than
a letter in an envelope.
Basic Email – Unencrypted
An email message is unencrypted, so anyone
who can intercept the message can read/modify
the contents.
15
Basic Email – Unencrypted
As an email travels from sender to recipient, it
may pass through many computers, such as
routers and mail forwarders. Any of these
computers (or their administrators) can intercept
(and read/modify/discard) the email without the
knowledge of the sender or recipient.
Basic Email – Unencrypted
Any attacker monitoring network traffic on a
network segment through which the email
travels can also intercept and read/modify the
email without the knowledge of the sender or
recipient.
16
Basic Email – Unauthenticated
The email header contains information about
the sender and recipient of the email.
Most individuals never read the header.
Most individuals trust that the contents of this
header accurately reflect the true sender of the
email.
Most email software has an option that displays
these headers to the user.
Basic Email – Unauthenticated
I have created an email
account,
csmn681@hotmail.com for
this demonstration.
We can see that the inbox
contains a message
claiming to be from one of
my CSMN 681 students.
The sender’s email
address shown is correct,
but Rob did not send the
message.
Thanks to Rob for allowing me to use his address for this demonstration.
demonstration. You should NOT assume that
you can perform a similar email demonstration without the written
written consent of the owner of any email
address and email server that you intend to use.
17
Basic Email – Unauthenticated
We can view the email header
in hotmail by clicking ‘Options’
Then clicking on ‘Mail Display
Settings’
Select the ‘Advanced’ radio
button in the Message Headers
section, then click the ‘OK’
button.
Basic Email – Unauthenticated
Now when you read an email message in
hotmail, the message header should be
displayed.
Similar settings exist in other email
readers (various webmail systems,
Netscape, Outlook, Evolution, etc) that
allow the email header to be viewed.
18
Basic Email – Unauthenticated
If we look at the message header, we see the following:
Received: from smtp.uaf.edu ([137.229.18.90]) by mc6mc6-f20.hotmail.com with Microsoft
SMTPSVC(5.0.2195.6713); Sat, 17 Jul 2004 17:01:49 -0700
Received: from smtp3.suscom.net (cprg
(cprg--42004200-1.cs.uaf.edu [137.229.25.234])by
[137.229.25.234])by smtp.uaf.edu
(8.12.11/8.12.11/uaf3) with SMTP id i6HNw6Cl482859for <csmn681@hotmail.com>;
<csmn681@hotmail.com>; Sat, 17 Jul
2004 15:58:42 -0800 (AKDT)
X-MessageMessage-Info: 6sSXyD95QpXKnszpKxcpTToexYIlP8dC
MessageMessage-Id: <200407172358.i6HNw6Cl482859@smtp.uaf.edu>
ReturnReturn-Path: rramos@suscom.net
X-OriginalArrivalTime:
OriginalArrivalTime: 18 Jul 2004 00:01:50.0062 (UTC) FILETIME=[6CC060E0:01C46C5A]
If we look closely enough , we may notice that some
parts of the header don’t look quite right (the yellow
part,
part, for example), but for almost all users, this would
be accepted as having been sent by Rob.
Secure Servers
This problem of reverting to insecure methods when the
secure method fails is common, as the user trades
convenience for security. As an example, amazon.com
allows users the option of signing into their account using a
“standard server” if the SSL based “secure server” login fails.
amazon.com is just used here as an example, and is certainly not the only example
of this “fail to insecure mode” issue – you should be able to think of several other
situations where an insecure method is used in the event of a failure
failure in the
secure method.
19
Phishing?
Phishing
20
Phishing
Phishing
21
Phishing
Phishing Header
ReturnReturn-Path: <frakdirect@lasalle.com>
frakdirect@lasalle.com>
Received: from mx.uaf.edu (mx.uaf.edu [137.229.34.31])
by mail1.uaf.edu (8.12.11/8.12.11/uaf4) with ESMTP id j1NCxSqR030409;
j1NCxSqR030409;
Wed, 23 Feb 2005 03:59:28 -0900
Received: from LaSalle.com (gege-germany.de [217.160.143.178])
217.160.143.178])
by mx.uaf.edu (8.12.11/8.12.11/uaf5) with SMTP id j1NCwslS021301;
Wed, 23 Feb 2005 03:58:59 -0900
MessageMessage-Id: <200502231258.j1NCwslS021301@mx.uaf.edu>
From: "LaSalle Bank" <frakdirect@lasalle.com
>
<frakdirect@lasalle.com>
Subject: LaSalleOnline - Protect your private information
Date: Thu, 24 Feb 2005 07:00:42 -0700
MIMEMIME-Version: 1.0
ContentContent-Type: text/html;
charset="Windows
charset="Windows--1251"
ContentContent-TransferTransfer-Encoding: 7bit
X-Priority: 1
X-MSMailMSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2800.1081
X-MimeOLE:
MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1081
X-ProofpointProofpoint-SpamSpam-Details: rule=notspam
rule=notspam policy= score=18 mlx=18
mlx=18 adultscore=0
adultscore=0 adjust=0
engine=2.5.0engine=2.5.0-05022200 definitions=2.5.0definitions=2.5.0-05022202
X-ProofpointProofpoint-SpamSpam-Score: 18
X-ProofpointProofpoint-SpamSpam-Bar: **
22
Viruses, Worms, and Trojans
Viruses, worms, and trojans have many
purposes:
– Steal, modify or delete data.
– Allow unauthorized access to computer, which is
called a backdoor.
backdoor.
– Provide a temporary server, such as a mail server for
spam, or an FTP server.
– Create a botnet (a usually large group of
compromised computers which can be used to
perform some additional tasks, such as a Distributed
Denial of Service attack).
– Patch a security problem (not as good as it may
sound).
Malicious Code
Virus scanners are now a common piece of
software on many computers, and are relatively
good at catching known viruses, worms, and
trojans provided they are used and updated
regularly.
regularly.
Virus scanners are still not very good at
catching new viruses (e.g. on the so called
zerozero-day of an exploit).
23
Malicious Code
Computer users are becoming less
susceptible to some types of malicious code
(e.g. email attachments), so attackers often
utilize a level of social engineering in the
attack.
For example, people often will not open
attachments from people they don’t know.
– This is a good start.
– However, malicious code in email attachment often
appears to be from someone you do know, since the email
is sent from someone you know who is already infected by
the virus.
Britney Spears
Bill Gates
Jennifer Lopez
Shakira
Osama Bin Laden
Michael Jackson
Bill Clinton
Anna Kournikova
Paris Hilton
Pamela Anderson
24
Hoaxes (Social Engineering)
Virus Hoaxes: Not Just Harmless Pranks
There are a lot of viruses out there. And then there are
some viruses that aren't really out there at all. Hoax virus
warning messages are more than mere annoyances.
After repeatedly becoming alarmed, only to learn that
there was no real virus, computer users may get into the
habit of ignoring all virus warning messages, leaving
them especially vulnerable to the next real, and truly
destructive, virus.
LOOKAT: http://vil.nai.com/VIL/hoaxes.asp
http://vil.nai.com/VIL/hoaxes.asp
Hoaxes
Commentary:
The soso-called "Teddy Bear" virus hoax is not one of the latest email hoaxes
hoaxes
but, as email hoaxes go, this one is proving to be quite resilient.
resilient. It regularly
pops up on forums and news groups and still finds its way to my inbox.
Unfortunately, this one is a little more harmful than your average
average email hoax
in that it can trick unwary computer users into deleting "jdbgmgr.exe
", a
"jdbgmgr.exe",
legitimate Windows file. One of the reasons that this email hoax has been
so successfully is that the file in question (jdbgmgr.exe
(jdbgmgr.exe)) really does have a
cute little teddy bear icon. Such an icon may look out of place for a
Windows file, so people are perhaps that little bit more willing to believe the
warning in the email. Of course, if nothing else, the teddy bear icon proves
that computer programmers actually do have a sense of humor (grin).
(grin).
Teddy bear icon for jdbgmgr.exe
LOOKAT: http://www.hoaxhttp://www.hoax-slayer.com/teddyslayer.com/teddy-bearbear-virusvirus-hoax.html
25
Nigerian 419 Scam
SUBJECT: TSUNAMI DONATIONS
Dear Friend
As you read this, I don't want you to feel sorry for me, because,
because, I believe everyone will die someday.
My name is Andrew Adams a merchant in PHILIPPINES, I have been diagnosed
diagnosed with Esophageal cancer .It has
defiled all forms of medical treatment, and right now I have only
only about a few months to live, according to medical
experts. I have not particularly lived my life so well, as I never
never really cared for anyone (not even myself) but my
business. Though I am very rich, I was never generous, I was always
always hostile to people and only focused on my
business as that was the only thing I cared for. But now i regret
regret all this as I now know that there is more to life than
just wanting to have or make all the money in the world. I believe
believe when God gives me a second chance to come to
this world I would live my life a different way from how I have lived it. Now that God has called me, I have willed
and given most of my property and assets to my immediate and extended
extended family members as well as a few close
friends. I want God to be merciful to me and accept my soul so, I have decided to give alms to charity
organizations, as I want this to be one of the last good deeds I do on earth. So far, I have distributed money to
some charity organizations in the U.A.E, Algeria and Malaysia, Indian
Indian and Pakistan. Now that my health has
deteriorated so badly, I cannot do this myself anymore.
I once asked members of my family to close one of my accounts in Switzerland and distribute the money which I
have there to charity organization in Bulgaria and Pakistan, they
they refused and kept the money to themselves.
Hence, I do not trust them anymore, as they seem not to be contended
contended with what I have left for them. Now I want
you to assist me in getting some cash deposit claim and distribute
distribute to charity and people of the tsunami disaster.
The last of my money which no one knows of is the huge Cash deposit
deposit of $36,000.000.00 million united states
dollars that I have with a finance/Security Company abroad. I will
will want you to help me collect this deposit and
dispatched it to charity organizations. I have set aside twenty percent for you and for your time. My email address
is: [removed]
regards,
Andrew Adam
LOOKAT: http://www.hoaxhttp://www.hoax-slayer.com/tsunamislayer.com/tsunami-nigeriannigerian-scam.html
Money From Microsoft
Subject: FW: PLEEEEEASE READ!!!! It was on the news!
Dear friends,
Something to share with all of u. Would u believe if this is true?
true? Read on..... For those who need money badly and
this is one opportunity to try it! I'm an attorney, and I know the
the law. This thing is for real. Rest assured AOL and
Intel will follow through with their promises for fear of facing a multimillionmultimillion-dollar class action suit similar to the one
filed by PepsiCo against General Electric not too long ago.
Dear Friends,
Please do not take this for a junk letter. Bill Gates is sharing his fortune. If you ignore this you will repent later.
Microsoft and AOL are now the largest Internet companies and in an effort to make sure that Internet Explorer
remains the most widely used program, Microsoft and AOL are running
running an ee-mail beta test. When you forward this
e-mail to friends, Microsoft can and will track it (if you are a Microsoft
Microsoft Windows user) for a two week time period.
For every person that you forward this ee-mail to, Microsoft will pay you $245.00, for every person that you
you sent it to
that forwards it on, Microsoft will pay you $243.00 and for every
every third person that receives it, you will be paid
$241.00. Within two weeks, Microsoft will contact you for your address
address and then send you a cheque.
cheque.
Regards.
Charles S. Bailey
General Manager Field Operations
[CONTACT DETAILS REMOVED]
I thought this was a scam myself, but two weeks after receiving this ee-mail and forwarding it on, Microsoft
contacted me for my address and within days, I received a cheque for US$24,800.00. You need to respond before
the beta testing is over. If anyone can afford this Bill Gates is
is the man. It's all marketing expense to him. Please
forward this to as many people as possible. You are bound to get at least US$10,000.00.
We're not going to help them out with their ee-mail beta test without getting a little something for our time. My
brother's girlfriend got in on this a few months ago. When I went
went to visit him for the Baylor/UT game. She showed
me her check. It was for the sum of $4,324.44 and was stamped "Paid
"Paid In Full".
Like I said before, I know the law, and this is for real Intel and
and AOL are now discussing a merger which would
make them the largest Internet company and in an effort make sure
sure that AOL remains the most widely used
program, Intel and AOL are running an ee-mail beta test.
LOOKAT: http://www.hoaxhttp://www.hoax-slayer.com/tsunamislayer.com/tsunami-nigeriannigerian-scam.html
26
Life Is Beautiful
This information arrived this morning, from Microsoft and Norton.
Norton. Please send it to everybody you
know who accesses the Internet. You may receive an apparently harmless
harmless email with a
PowerPoint presentation called "Life is beautiful.pps."
beautiful.pps."
If you receive it DO NOT OPEN THE FILE UNDER ANY CIRCUMSTANCES, and delete it
immediately. If you open this file, a message will appear on your
your screen saying: "It is too late now,
your life is no longer beautiful", subsequently you will LOSE EVERYTHING
EVERYTHING IN YOUR PC and the
person who sent it to you will gain access to your name, email and
and password. This is a new virus
which started to circulate on Saturday afternoon. WE NEED TO DO EVERYTHING POSSIBLE
TO STOP THIS VIRUS. UOL has already confirmed its dangerousness, and the antivirus Softs
are not capable of destroying it. The virus has been created by a hacker who calls himself "life
owner", and who aims to destroying domestic PCs and who also fights
fights Microsoft in court! That's
why it comes disguised with extension pps.
pps. He fights in court for the WindowsWindows- XP patent.
MAKE A COPY OF THIS EMAIL TO ALL YOUR FRIENDS
LOOKAT: http://www.hoaxhttp://www.hoax-slayer.com/lifeslayer.com/life-isis-beautifulbeautiful-virusvirus-hoax.html
Charity Hoax
Hi, my name is Amy Bruce. I am 7 years old, and I have severe lung
lung cancer
from second hand smoke. I also have a large tumor in my brain, from
from
repeated beatings. doctors say I will die soon if this isn't fixed,
fixed, and my family
can't pay the bills. The Make A Wish Foundation, has agreed to donate
donate 7
cents for every time this message is sent on.
For those of you who send this along, I thank you so much, but for
for those
who don't send it, what goes around comes around. Have a Heart, please
send this. Please, if you are a kind person, send this on. PLEASE
PLEASE HIT
FORWARD BUTTON "NOT REPLY BUTTON".
LOOKAT: http://www.hoaxhttp://www.hoax-slayer.com/amyslayer.com/amy-brucebruce-charitycharity-hoax.html
27
Outline
Introduction
Overview of Computer Security
Email Security
Password Safety
What You Can Do
Access Control
You can control access based on:
– Who you are (e.g. fingerprint)
– Where you are (e.g. at a certain terminal)
– What you have (e.g. ATM card)
– What you know (e.g. password)
28
Policy Issues
System administrators can establish and
enforce password policies including the
following:
– Password strength
Length
Contents
– Password Change
Timed
First time
–
–
–
Account lockouts
How the password is stored
What to do when someone forgets their password
Encryption
– Passwords are usually encrypted
using a one-way encryption
– Encrypted version is stored
– User entry is encrypted and
compared with stored version
29
UNIX Password
adelia:
adelia:gDlE1lfHj06vE:
gDlE1lfHj06vE:1311:
1311:100:adelia
100:adelia maples:/usr/home/adelia:/bin/tcsh
maples:/usr/home/adelia:/bin/tcsh
josefa:
josefa:.lZJON/EqHGvA:
.lZJON/EqHGvA:2783:
2783:100:josefa
100:josefa bedard:/usr/home/josefa:/bin/tcsh
ashli:
1529::100:ashli
ashli:ynuN69Od91kOo:
ynuN69Od91kOo:1529
100:ashli blocker:/usr/home/ashli:/bin/tcsh
blocker:/usr/home/ashli:/bin/tcsh
Username
Encrypted Password
User Identification Number (UID)
User Group Identification Number (GID)
User Name
User Home Directory
User Shell
Unencrypted Data
Google (http://www/google.com
(http://www/google.com)) uses a database to
quickly retrieve information.
– This allows users to quickly find pages related to their search
criteria.
– It also allows searches based on a number range, for
example using 1…50 as the search criteria generates a list
of all pages that include the numbers 1 through 50.
– We can use this feature to search for credit card numbers,
for example, using a search criteria such as
4111000000000000...4111999999999999
– This is not a bug, but it does demonstrate the power of a well
designed database (whether the results are then used for
good or bad is another issue).
30
Unencrypted Passwords
If a system administrator can tell you
(or send you) your password, then
your password is most likely stored
in plain text on their machine.
Unencrypted Passwords
Unencrypted passwords are VERY
vulnerable
Sniffing
Social engineering
Shoulder surfing
Hacking
Printing
31
Unencrypted Passwords
Unencrypted Passwords
32
Unencrypted Passwords
Encrypted Password – Dictionary Attack
– Word set is identified
– Word set is encrypted
– Compared with password list
33
Common Passwords
23% child's name
19% partner's name
12% birthdays
9% football team
9% celebrities and bands
9% favorite places
8% own name
8% pet's name
Common Passwords
lists 7.4%
common names 4.0%
user/account name 2.7%
phrases and patterns 1.8%
women's names 1.2%
men's names 1.0%
machine names 1.0%
34
--I keep forgetting my password
--I have too many passwords
--I use the same password for
everything
--I can’t remember the website
address for my journal
subscription.
…a word about password safes
Outline
Introduction
Overview of Computer Security
Email Security
Password Safety
What You Can Do
35
What Can You Do?
Deans and Directors Security Page
http://rusecure.rutgers.edu/people/deans_n_dir.php
http://rusecure.rutgers.edu/people/deans_n_dir.php
Faculty/Staff Development
Policy Development
–
–
–
–
–
Passwords
Plagiarism
Computer Use
Website Credibility
Surplus Equipment
Students
– Modules in courses
– Courses
– Internet references vs technical journals
What Can You Do?
Develop courses, certificates, and programs
q
q
q
q
q
q
q
q
q
q
Business – Security Management
Engineering – Networks, Wireless Security, RFID...
Legal – FERPA, HIPAA, Cyberethics...
Cyberethics...
Computer Science – Millions of things
Physics/EE – Power Systems, Critical Infrastructure
Communication/Sociology – Social Engineering
Library Science – Internet Resources
Education – Preservice and Inservice Teacher Training
Mathematics – Cryptography
Statistics – Combinatorics (passwords)
36
What Can You Do?
Opportunities
– Funding
Research
Education
Outreach
– New student populations
Questions?
This presentation will be available at the
ASSERT website:
assert.uaf.edu
37
References
[1] Pfleeger, Charles P., and Shari Lawrence Pfleeger.
Security in Computing, 3rd Edition. Pearson Education
Inc. 2003
38