Privacy and Security

CPSC 101

Learning Goals
By the end of this unit, you will be able to:
Define computer security in terms of the C-I-A principles Explain how we uphold the C-I-A principles, and give examples of what that means in simple administrative systems Lists the types of ways in which computer security can be compromised List the risks associated with computers, and the vulnerabilities that have been identified here Describe the differences between viruses, trojans and worms. Describe goals and techniques of hackers and understand basic ways of dealing with them. Differentiate different online activities among associated risk (i.e. online banking is a relatively safe activity-- explain why) Define encryption and the Caesar Cipher; translate an encoded message given a key using this cipher Differentiate between black box and white box security and their relative merits. Respect the danger; be responsible computer users! Explain why computer security is important. Justify your behavior as a responsible computer user.

Defining Computer Security

Computer and network security are built upon three general principles (C-I-A):
Confidentiality
Data is kept hidden from all but those authorized to view it

Integrity
Data remains in the same state as it was left by the last authorized user; cannot be corrupted either accidentally or maliciously

Availability
Data is accessible to authorized users as necessary, in a convenient format, and without unreasonable delay

Defining Computer Security

Central to upholding the C-I-A are the following:
Identification
Who do you say you are?

Authentication
How do I know its really you?

Authorization
Now that you are here, what are you allowed to do?

Accountability
Who did what? Whos responsible? When did they do it?

Defining Computer Security

Example, keep-it-simple administration:
Identification
Username

Authentication
Password

Authorization
Accessibility restrictions

Accountability
Record major actions of the user in the previous 7 days
What is wrong with this? How do I break in?

Defining Computer Security

Example, high-security administration:
Identification
Username

Authentication
Biometric reader (retina, finger print, voice analysis) Password

Authorization
Accessibility restrictions

Accountability
Record all actions taken by the user indefinitely.

Computer Security
Write the names and student IDs of the 2-4 students participating on one sheet of paper. 2. List 3 examples of computer security threats or issues. 3. List 2 ways of dealing with each type of threat. 4. Come up with a definition of Computer Security.
1.

Computer Security Basics

Major computer security issues:
Identity theft / Personal theft Viruses / Trojans / Worms Spyware / Adware National security Privacy concerns Protecting our children Hackers / Software crackers Spam / email fraud / spoofing

Types of Threats
Unintentional threats:
Carelessness causes more problems than you might first imagine. In general, more information is lost/compromised through acts of carelessness than through acts of malice!
What are the major threats from carelessness?

Intentional threats:
The reality is the average user is not only incapable of mounting a serious attack on a computer, but likely completely disinterested in doing so. Nonetheless, criminals and vandals who are capable and desirous do exist.

Natural threats

Vulnerability
The onset of broadband-- rapid, personal Internet connections-- has changed our risk factors
Now we have everyday users with computers at home, connected to the Internet, and running 24/7
i.e. targets!

It is estimated that the between the initial set up of a computer and the first attack is < 2 minutes!
This can happen before you have time to install countersoftware! New computers can have viruses within minutes!

Vulnerability
Types of vulnerability:
Physical
Theft, sabotage, vandalism of physical hardware Locks, guards and biometrics can be put in place to reduce

Natural
Environmental threats (dust, humidity, temperature/power fluctuations), natural threats (lightning, fires, floods), natural disasters (floods, earthquakes)

Hardware/software vulnerabilities
Exploitation by hackers/crackers

Vulnerability
Other types of vulnerability:
Media
Lost/damaged backup media; erasing data; media degredation

Communication
Intercepting data/messages (electronic eavesdroppers)

Humans!
What if your network admin decides on a life of crime? What if someone writes down a key password and loses it?

Vulnerability
That is, your system may be participating in illicit behaviour without your knowledge. Examples include:
Distributed Denial of Service attacks (DDoS), where a target is bombarded with requests so as to overwhelm and disable the system Email Relays where your system is used to relay spam or even pornography-- such messages look like they come from you! Illicit Website Hosting where your computer may be hosting web sites that youre not aware of.

Hacking / Cracking
A word with lots of history. Some attempts have been made to differentiate hacking from cracking by emphasizing that hacking is non-destructive. Overall, the key goals for hackers are to:
Gain unrestricted or root access and the installation of a back door which provides easy future access to the system. Search for valuable data like passwords, credit card numbers, or important files. Sometimes and, in the best case, simply entertainment.

Hacking / Cracking Techniques

Dictionary Attack: beat a password by using a massive dictionary of the most common passwords. Port / File Scanning: identifying vulnerable programs that are listening to network ports or files that have incorrect access controls and using them. Packet Sniffing: intercepting and reading network traffic and looking for valuable data like passwords or credit card numbers. Code Injection Attacks: sending a malformed message to a program that causes actions that are unwanted. Shoulder surfing: finding passwords by literally watching people type them. Password gathering: using passwords from one system to break into other systems. Default exploits: a technique for accessing a system by exploiting default passwords that may be left unchanged. Why am I teaching you this? (Hint: no, Im not trying to make you a hacker)

Viruses
Virus is a term that is often incorrectly used to describe several varieties of malicious programs:
Virus: fairly uncommon in modern computing. True viruses are programs that spread through human intervention such as infecting an USB drive or email. Commonly and incorrectly used as a name for all malware programs. Trojan: a very common type of malware. Trojans are programs that pretend to be another program. Worm: another common type malware. Worms are malware programs that move automatically from computer to computer.

Privacy and Authentification: Email

Email travels through several layers of systems in its journey from sender to recipient
In theory, anyone with the right level of access and technical expertise can read your email without you ever knowing

Email typically contains the address of the sender, however these addresses can be forged
Ever receive spam that looks like its from someone you know?

Privacy and Authentification: Email

How can we protect ourselves? Emails with highly sensitive content simply should not be sent
Give credit card information over the phone during a call that you place.

If you must send sensitive content, send an encrypted message

Thus, if it is intercepted, the perpetrator will see only an encrypted message

What does both of these assume?

Privacy and Authentification

How can we protect ourselves?
Choose your passwords wisely! Dont use obvious words Dont use single words Intentionally misspell a word or use acronyms Choose passwords at least 8 characters long Mix upper and lower case Add numbers, punctuation marks, or symbols Dont write your password down or tell anyone Change your password regularly

Online banking, etc.

What are our concerns?
How do we know when we are doing our online banking that our data is really safe? What do banks do to protect us? Is our data safe even on our own computers?

Lets take a look at how banks protect us (and themselves)...

Shh Its a secret!

First, banks use something called 128-bit encryption Encryption refers to a process of hiding data such that the original information can only be recovered through the corresponding decryption process. The science of encryption-decryption is called cryptography In general, the algorithms for these method are publicly available Wait a second! Publically available? Wouldnt it be better if the algorithms were secret?

Black Box vs White Box Security

Black box security: Information about the security techniques are hidden to prevent vulnerabilities from being detected.
Problem: you are assuming that your information stays hidden.

White (or Clear) box security: Information about the security is publically available.
If you are safe with white box security, your system is truly secure since are not relying on information remaining secret. White box security encourages examination and early detection of threat by ethical hackers.

Shh Its a secret!

If the cryptography algorithms are public, then how is our data safe?
Through the use of a key
Sample key: 0001000 10101010 00101000 01101110

An encrypt. algorithm takes the original message and the key, and uses the key to alter the original message based on the contents of that key
Thus, even if you have the decryption algorithm, you cannot decrypt a message without the key! Its the keys that must be top secret!

Caesar Cipher
The Caesar Cipher is one of the earliest examples of cryptography supposedly invented by Julius Caesar
A cipher is a means of transforming text in order to contain its meaning

Caesar would take the alphabet and shift it a certain number of spaces
For example, if the shift was 3, then A would become D, B would be E, etc.

The key was then the shift factor (how much you shifted)

Caesar Cipher
For example, a shift-factor of 3 (key == 3) would change the following message THIS IS MY FAVOURITE CLASS! to... WKLV LV PB IDYRXULWH FODWW! If we take out the punctuation and spaces... WKLVLVPBIDYRXULWHFODWW

Back to online banking

So how does the bank use this?
They use a key that is 128-bits long... that is...

XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
... zeros and ones This key is so powerful that it is currently the highest available (legally) Stealing information encrypted at this level is virtually impossible

Well, unless youre planning on living forever and have a lot of time on your hands... Consider this... using 128-bit keys:
There are 2128 possible keys That is, 340,282,366,920,938,463,463,374,607,431, 768,211,456 possible combinations of ones and zeros If we assume we can test 60 keys a second, thats 567,137,278,201,564,105,722,910,123,862,803,524 seconds Or, 94,522,879,700,260,684,295,381,835,397,713,392 minutes Or, 1,575,381,328,337,678,071,589,697,256,628,556 hours Or, 65,640,888,680,736,586,316,237,385,692,856 days Or, 179,838,051,180,100,236,482,842,152,583 years

Virtually impossible?

Wow, so its bullet proof right?

Well, not exactly. The encryption itself is essentially impossible to break...
..but what matters is where the security measures are being applied All of your data that is transferred over the Internet has to be secured to this level How can you be sure that the encryption technique is really so hard to break? Mathematical tricks have broken several previous encryption techniques. How can you tell if data is encrypted? Look for the padlock, or similar symbol indicating that all content sent to or from this site is encrypted. Check the company for more information on what bit encryption they use.

To make things even stronger

Encryption ensures that someone cannot break in or intercept your banking data
Banks also use PINs (personal identification numbers) and passwords This means that someone cant pretend to be you, without logging in as you

Heres where good password choices are important Companies through whom you may purchase or otherwise provide banking information also use direct-modem connections
Direct connections that are not through the Internet

Whats a user to do?

Its a scary world out there, admittedly...
You need to worry about power failures, natural disasters, making backups, worms, trojans, physical theft. You need to worry about computer abuse and the unwittingly role you may play if you do not adequately protect your computer. If you are on a network, you must observe network security and access restrictions.

Whats a user to do?

Recognize your responsibility! If you operate a computer of any kind then you share a responsibility for computer security
Run virus software and keep it up-to-date Run a firewall to protect your system from unwanted visitors, and keep up-to-date Practice responsible web surfing and email browsing Never click on a link in an email unless you are sure of the sender/source; if youre not sure, email your friend and ask for confirmation Never respond to email phishing; this includes unsubscribe requests!

Whats a user to do
Recognize the real threats... The likelihood of your data being stolen through an encrypted site, such as a banking website, or online store, is extremely slim But first do your research and ensure that they have adequate encryption Also check for the padlock before ever entering/submitting data Most data is compromised due to carelessness and irresponsible computer users
Ask yourself: is that you?

Summary
There are different levels of risks associated with computers We must understand those risks and our responsibilities with upholding computer security There are many types of computer vulnerabilities, and many ways to respond to each of those vulnerabilities Still, many aspects of computing are safer than we may initial think, such as online banking

Learning Goals
By the end of this unit, you will be able to:
Define computer security in terms of the C-I-A principles Explain how we uphold the C-I-A principles, and give examples of what that means in simple administrative systems Lists the types of ways in which computer security can be compromised List the risks associated with computers, and the vulnerabilities that have been identified here Differentiate different online activities among associated risk (i.e. online banking is a relatively safe activity-- explain why) Define encryption and the Caesar Cipher; translate an encoded message given a key using this cipher Respect the danger; be responsible computer users! Explain why computer security is important. Justify your behaviour as a responsible computer user.