Network Security and Surveillance

(1)

Network Security and Surveillance

G. Sivakumar

Computer Science and Engineering IIT Bombay

siva@iitb.ac.in

October 14, 2005

1 Internet Security Overview Some Puzzles

2 Defence: Cryptography

3 Offence: RFIDs and Surveillance

(2)

Internet’s Growth and Charter

Information AnyTime, AnyWhere, AnyForm, AnyDevice, ...

WebTone like DialTone

G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in

Network Security and Surveillance

(3)

Internet’s Dream

Why should a fridge be on Internet?

Will security considerations make this a nightmare?

(4)

What are Cyber crimes?

Against People

Cyber Stalking and Harrassment (Child) Pornography

Against Property Cracking Virus and Spam

Software/Entertainment Piracy Cyber Terrorism!

(5)

Security Concerns

Match the following!

Problems Attackers

Highly contagious viruses Unintended blunders

Defacing web pages Disgruntled employees or customers Credit card number theft Organized crime

On-line scams Foreign espionage agents Intellectual property theft Hackers driven by technical challenge

Wiping out data Petty criminals

Denial of service Organized terror groups

Spam E-mails Information warfare

Reading private files ...

Surveillance ...

Crackers vs. Hackers

Note how much resources available to attackers.

(6)

Cyber Terrorism?

Some examples from http://cybercrimes.net/

1989: Legion of Doom group took over the BellSouth telephone system, tapped phone lines, re-routed calls, ...

1996: A white supremacist movement took out a Massachusetts internet service provider

1997: A cracker disabled the computer system of an airport control tower at the Worcester, Mass. Airport.

1997: a hacker in Sweden jammed the 911 emergency telephone system all throughout west-central Florida.

1998: NASA, Navy, and Defence Department computers were attacked.

2000: in Maroochy Shire, Australia, a disgruntled consultant hacked into a waste management control system and released millions of gallons of raw sewage on the town.

2001: Two post-graduate students cracked a bank system used by banks and credit card companies to secure the personal

identification numbers of their customers accounts. [38]

(7)

Emergency Response: http://www.cert-in.org.in/

(8)

Internet Attacks Timeline

From training material at http://www.cert-in.org.in/

(9)

Internet Attack Trends

From training material at http://www.cert-in.org.in/

(10)

Indian IT Act 2000

Basic Legal Framework

Electronic documents, signatures as evidence Cyber Crimes & Punishments

Secn 43: Damage to Computers/Network Secn 65: Tampering source code

Secn 66: “Hacking” (cracking) Secn 67: Obscenity (bazee.com!) Secn 69: Interception

Several Initiatives (PKI, CERT-IN, Cyber cells, ...)

(11)

Vulnerabilities

Application Security Buggy code Buffer Overflows Host Security

Server side (multi-user/application) Client side (virus)

Transmission Security

(12)

Denial of Service

Small shop-owner versus Supermarket

What can the attacker do?

What has he gained or compromised?

What defence mechanisms are possible?

Screening visitors using guards (who looks respectable?)

VVIP security, but do you want to be isolated?

what is the Internet equivalent?

(13)

Security Requirements

Informal statements (formal is much harder)

Confidentiality Protection from disclosure to unauthorized persons Integrity Assurance that information has not been modified unauthorizedly.

Authentication Assurance of identity of originator of information.

Non-Repudiation Originator cannot deny sending the message.

Availability Not able to use system or communicate when desired.

Anonymity/Pseudonomity For applications like voting, instructor evaluation.

Traffic Analysis Should not even know who is communicating with whom. Why?

Emerging Applications Online Voting, Auctions (more later)

And all this with postcards (IP datagrams)!

(14)

Exchanging Secrets

Goal

A and B to agree on a secret number. But, C can listen to all their conversation.

Solution?

A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.

(15)

Exchanging Secrets

Goal

A and B to agree on a secret number. But, C can listen to all their conversation.

Solution?

A tells B: I’ll send you 3 numbers. Let’s use their LCM as the key.

(16)

Mutual Authentication

Goal

A and B to verify that both know the same secret number. No third party (intruder or umpire!)

Solution?

A tells B: I’ll tell you first 2 digits, you tell me the last two...

(17)

Mutual Authentication

Goal

A and B to verify that both know the same secret number. No third party (intruder or umpire!)

Solution?

A tells B: I’ll tell you first 2 digits, you tell me the last two...

(18)

Cryptography and Data Security

sine qua non [without this nothing :-]

Historically who used first? (L & M) Code Language in joint families!

(19)

Symmetric/Private-Key Algorithms

(20)

Asymmetric/Public-Key Algorithms

Keys are duals (lock with one, unlock with other) Cannot infer one from other easily

How to encrypt? How to sign?

(21)

One way Functions

Mathematical Equivalents

Factoring large numbers (product of 2 large primes)

Discrete Logarithms

(22)

Security Mechanisms

System Security: “Nothing bad happens to my computers and equipment”

virus, trojan-horse, logic/time-bombs, ...

Network Security:

Authentication Mechanisms “you are who you say you are”

Access Control Firewalls, Proxies “who can do what”

Data Security: “for your eyes only”

Encryption, Digests, Signatures, ...

(23)

Security Mechanisms

System Security: “Nothing bad happens to my computers and equipment”

virus, trojan-horse, logic/time-bombs, ...

Network Security:

Authentication Mechanisms “you are who you say you are”

Access Control Firewalls, Proxies “who can do what”

Data Security: “for your eyes only”

Encryption, Digests, Signatures, ...

(24)

Security Mechanisms

System Security: “Nothing bad happens to my computers and equipment”

virus, trojan-horse, logic/time-bombs, ...

Network Security:

Authentication Mechanisms “you are who you say you are”

Access Control Firewalls, Proxies “who can do what”

Data Security: “for your eyes only”

Encryption, Digests, Signatures, ...

(25)

Network Security Mechanism Layers

Cryptograhphic Protocols underly all security mechanisms. Real

Challenge to design good ones for key establishment, mutual

authentication etc.

(26)

What is RFID?

Not just super barcode.

Already in use by Andhra Pradesh police?

(27)

How RFID works

(28)

RFID Tags

Passive

Cheapest: no battery in tag All power comes from reader Semi Passive

With batteries

Improved performance and reliability Increased size and cost

Active

High performance and cost Active

(29)

Privacy Concerns

(30)

RFID Applications

Payment

Toll collection

Fuel payment (Speedpass) Parking

Pre-payment card (Dexit) Supply Chain Mgmt

Logistics Inventory Mgmt Asset Tracking

High value assets Re-useable containers Shipping containers Inventory

Access Control Card Keys

Automotive anti-theft Anti-theft

Shrinkage

Automotive anti-theft Track & Trace

Food

Pharmaceuticals Books

Parts/lots tracking Apparel

(31)

References

Books

TCP/IP Illustrated by Richard Stevens, Vols 1-3, Addison-Wesley.

Applied Cryptography - Protocols, Algorithms, and Source Code in C by Bruce Schneier, Jon Wiley & Sons, Inc. 1996 Cryptography and Network Security: Principles and Practice by William Stallings (2nd Edition), Prentice Hall Press; 1998.

Practical Unix and Internet Security, Simson Garfinkel and Gene Spafford, O’Reilly and Associates, ISBN 1-56592-148-8.

Web sites

www.cerias.purdue.edu (Centre for Education and Research in Information Assurance and Security)

www.sans.org (System Administration, Audit, Network Security)

cve.mitre.org (Common Vulnerabilities and Exposures)

csrc.nist.gov (Computer Security Resources Clearinghouse)

www.vtcif.telstra.com.au/info/security.html