how to be a paranoid or just think like one
play

How to be a paranoid or just think like one 1 2 Leaking - PowerPoint PPT Presentation

Sep 15, 2023 •262 likes •580 views

Pro rotection a and S d Securi rity How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million veteran s data Data on laptop stolen from employee s home (5/06) Veterans names Social Security

  1. Pro rotection a and S d Securi rity How to be a paranoid or just think like one 1

  2. 2

  3. Leaking information Stealing 26.5 million veteran ’ s data Data on laptop stolen from employee ’ s home (5/06) Ø Veterans ’ names Ø Social Security numbers Ø Dates of birth Exposure to identity theft CardSystems exposes data of 40 million cards (2005) Ø Data on 70,000 cards downloaded from ftp server These are attacks on privacy (confidentiality, anonymity) 3

  4. The Sony rootkit “ Protected ” albums included Ø Billie Holiday Ø Louis Armstrong Ø Switchfoot Ø The Dead 60 ’ s Ø Flatt & Scruggs, etc. Rootkits modify files to infiltrate & hide Ø System configuration files Ø Drivers (executable files) 4

  5. The Sony rootkit Sony ’ s rootkit enforced DRM but exposed computer Ø CDs recalled Ø Classified as spyware by anti-virus software Ø Rootkit removal software distrubuted Ø Removal software had exposure vulnerability Ø New removal software distrubuted Sony sued by Ø Texas Ø New York Ø California This is an attack on integrity 5

  6. The Problem Types of misuse Ø Accidental Ø Intentional (malicious) Protection and security objective Ø Protect against/prevent misuse Three key components: Ø Authentication: Verify user identity Ø Integrity: Data has not been written by unauthorized entity Ø Privacy: Data has not been read by unauthorized entity 6

  7. Have you used an anonymizing service? 1. Yes, for email 2. Yes, for web browsing 3. Yes, for something else 4. No 7

  8. What are your security goals? Authentication Ø User is who s/he says they are. Ø Example: Certificate authority (verisign) Integrity Ø Adversary can not change contents of message Ø But not necessarily private (public key) Ø Example: secure checksum Privacy (confidentiality) Ø Adversary can not read your message Ø If adversary eventually breaks your system can they decode all stored communication? Ø Example: Anonymous remailer (how to reply?) Authorization, repudiation (or non-repudiation), forward security (crack now, not crack future), backward security (crack now, not cracked past) 8

  9. What About Security in Distributed Systems? Three challenges Ø Authentication ❖ Verify user identity Ø Integrity ❖ Verify that the communication has not been tempered with Ø Privacy ❖ Protect access to communication across hosts Solution: Encryption Ø Achieves all these goals Ø Transform data that can easily reversed given the correct key (and hard to reverse without the key) 9

  10. Encryption (big idea) Bob wants to send Alice a message m Does not want Eve to be able to read message Idea: Bob: E(m) -> c // Sends c over the network to Alice Alice: D(c) -> m Function E encrypts plaintext message to ciphertext (c) Function D decrypts ciphertext to plaintext Eve can only read c, which looks like garbage 10

  11. Keyed encryption Most implementations of E() and D() need a secret key Ø Eve can know E() and D() code ❖ Not many cryptographic algorithms in the world Ø Alice and Bob just need to pick secret keys Eve doesn’t know (and each other may not know) ❖ Some mathematical constraints Two types: Ø Symmetric key Ø Public/private key 11

  12. Symmetric Key (Shared Key) Encryption Basic idea: Ø E(m, k) à cipher text c Ø D(c, k) à plain text m Somehow, Alice and Bob exchange the key out of band Ø Exercise for the reader Need to keep the shared key secret! 12

  13. Public Key Encryption Basic idea: Ø Separate authentication from secrecy Ø Each key is a pair: K-public and K-private Ø Alice and Bob both have key pairs (Ka and Kb) Example: Ø Alice: E(m, Ka-private, Kb-public) -> c Ø Only Bob can decrypt c with: ❖ D(c, Ka-public, Kb-private) -> m Message is confidential even if Eve knows Ka-public and Kb-public Ø No out-of-band protocol needed to exchange a shared secret Ø But Alice does have to trust that Kb-public belongs to Bob ❖ Typically managed by some trusted certificate authority or key distribution network ◆ Debian developers meet and sign each others’ keys at conferences 13

  14. Mitigating costs Public key crypto is more expensive than shared key Idea: Use public key crypto to exchange a temporary, session key Ø During a session, exchange messages using shared key One expensive public key message to set up session Ø All future messages cheap Ø This is how SSL/TLS and other protocols work 14

  15. Digital signatures Cryptographic hash Ø Hash is a fixed sized byte string which represents arbitrary length data. Ø Hard to find two messages with same hash. Ø If m != m ’ then H(m) != H(m ’ ) with high probability. H(m) is 256 bits Message integrity with digital signatures Ø For message m: hash m, encrypt the hash (E(H(m)) = s ❖ With public key crypto Ø Receiver: verify that H(m) == D(s) Signature will only verify if: Ø Hash was encrypted by owner of K-public Ø Message did not change Also provides non-repudiation 15

  16. Implementing your security goals Authentication Ø {I’m Don}^K-private Integrity Ø {SHA-256 hash of message I just send is … }^K-private Privacy (confidentiality) Ø Public keys to exchange a secret Ø Use shared-key cryptography (for speed) Ø Strategy used by ssh Forward/backward security Ø Rotate shared keys every hour Repudiation Ø Public list of cracked keys 16

  17. When you log into a website using an http URL, which property are you missing? 1. Authentication 2. Integrity 3. Privacy 4. Authorization 5. None 17

  18. Securing HTTP: HTTPS (HTTP+SSL/TLS) client server CA hello(client) certificate certificate ok? {certificate valid}^CA-private {send random shared key}^S-public switch to encrypted connection using shared key 18

  19. When you visit a website using an https URL, which property are you missing? 1. Authentication (server to user) 2. Authentication (user to server) 3. Integrity 4. Privacy 5. None 19

  20. Authentication Objective: Verify user identity Common approach: Ø Passwords: shared secret between two parties Ø Present password to verify identity 1. How can the system maintain a copy of passwords? Ø Encryption: Transformation that is difficult to reverse without right key Ø Example: Unix /etc/passwd file contains encrypted passwords Ø When you type password, system encrypts it and then compared encrypted versions 20

  21. Authentication (Cont ’ d.) 2. Passwords must be long and obscure Ø Paradox: v Short passwords are easy to crack v Long passwords – users write down to remember è vulnerable Ø Original Unix: v 5 letter, lower case password v Exhaustive search requires 26^5 = 12 million comparisons v Today: < 1us to compare a password è 12 seconds to crack a password Ø Choice of passwords v English words: Shakespeare ’ s vocabulary: 30K words v All English words, fictional characters, place names, words reversed, … still too few words v (Partial) solution: More complex passwords Ø At least 8 characters long, with upper/lower case, numbers, and special characters 21

  22. Are Long Passwords Sufficient? Example: Tenex system (1970s – BBN) Ø Considered to be a very secure system Ø Code for password check: For (i=0, i<8, i++) { if (userPasswd[i] != realPasswd[i]) Report Error; } Ø Looks innocuous – need to try 256^8 (= 1.8E+19) combinations to crack a password Ø Is this good enough?? No!!! 22

  23. Are Long Passwords Sufficient? (Cont ’ d.) Problem: Ø Can exploit the interaction with virtual memory to crack passwords! Key idea: Ø Force page faults at carefully designed times to reveal password Ø Approach ❖ Arrange first character in string to be the last character in a page ❖ Arrange that the page with the first character is in memory ❖ Rest is on disk (e.g., a|bcdefgh) ❖ Check how long does a password check take? ◆ If fast è first character is wrong ◆ If slow è first character is right à page fault à one of the later character is wrong ❖ Try all first characters until the password check takes long ❖ Repeat with two characters in memory, … Ø Number of checks required = 256 * 8 = 2048 !! Fix: Ø Don ’ t report error until you have checked all characters! Ø But, how do you figure this out in advance?? Ø Timing bugs are REALLY hard to avoid 23

  24. Alternatives/enhancements to Passwords Easier to remember passwords (visual recognition) Two-factor authentication Ø Password and some other channel, e.g., physical device with key that changes every minute Ø http://www.schneier.com/essay-083.html Ø What about a fake bank web site? (man in the middle) Ø Local Trojan program records second factor Biometrics Ø Fingerprint, retinal scan Ø What if I have a cut? What if someone wants my finger? Facial recognition 24

  25. Password security § Instead of hashing your password, I will hash your password concatenated with a random salt. Then I store the unhashed salt along with the hash. § (password . salt)^H salt What attack does this address? § 1. Brute force password guessing for all accounts. 2. Brute force password guessing for one account. 3. Trojan horse password value 4. Man-in-the-middle attack when user gives password at login prompt. 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Jerry: Linda, do you think Im paranoid? Linda: Youre not really paranoid if

Jerry: Linda, do you think Im paranoid? Linda: Youre not really paranoid if

Jerry: Linda, do you think Im paranoid? Linda: Youre not really paranoid if everyone really is after you, Jerry. Jerry: Maybe all security people are crazy! Linda: No, theyre just insecure. Everything You

444 views • 17 slides
Becoming Paranoid Or how I learned to start worrying and fear the Internet George V.

Becoming Paranoid Or how I learned to start worrying and fear the Internet George V.

Becoming Paranoid Or how I learned to start worrying and fear the Internet George V. Neville-Neil www.neville-neil.com Why This Talk? To make all of you more paranoid Give people a grounding in current problems with securing internet

659 views • 33 slides
How to be a paranoid Dates of birth or just think like one Exposure to identity theft

How to be a paranoid Dates of birth or just think like one Exposure to identity theft

Leaking information Stealing 26.5 million veteran s data Pro rotection a and S d Securi rity Data on laptop stolen from employee s home (5/06) Veterans names Social Security numbers How to be a paranoid Dates of birth or

337 views • 5 slides
How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million

Protection tion and Se Secur urity ity How to be a paranoid or just think like one 1 2 Leaking information Stealing 26.5 million veterans data Data on laptop stolen from employees home (5/06) Veterans names Social Security

619 views • 27 slides
Infrastructure Design For The Professionally Paranoid Or: Ticking The Boxes For Fun And Profit

Infrastructure Design For The Professionally Paranoid Or: Ticking The Boxes For Fun And Profit

Infrastructure Design For The Professionally Paranoid Or: Ticking The Boxes For Fun And Profit Mika Bostrm &lt;mika.bostrom@smarkets.com&gt; Infrastructure Engineer, Information Security Officer[], semi-professional interviewer, Systems

411 views • 19 slides
Intro to Networking for the Insufficiently Paranoid Mihai Christodorescu CS 642 Spring 2007

Intro to Networking for the Insufficiently Paranoid Mihai Christodorescu CS 642 Spring 2007

Intro to Networking for the Insufficiently Paranoid Mihai Christodorescu CS 642 Spring 2007 mihai@cs.wisc.edu Original slides by Jonathon Giffin Internet: Attack and Defenses Makes communication easier and faster Makes attacks

1.05k views • 66 slides
Agility UNC COMP 523 October 5, 2020 Jeff Terrell 1 / 49 Announcements music: Paranoid Android

Agility UNC COMP 523 October 5, 2020 Jeff Terrell 1 / 49 Announcements music: Paranoid Android

Agility UNC COMP 523 October 5, 2020 Jeff Terrell 1 / 49 Announcements music: Paranoid Android by Radiohead, who exhibit great musical agility IMO please join our class on OpenClass.ai before Q4 on Wednesday see Piazza for a link Q1

883 views • 49 slides
Cryptography for the paranoid Daniel J. Bernstein (University of Illinois at Chicago, Technische

Cryptography for the paranoid Daniel J. Bernstein (University of Illinois at Chicago, Technische

Cryptography for the paranoid Daniel J. Bernstein (University of Illinois at Chicago, Technische Universiteit Eindhoven) Based on joint work with: Tanja Lange (Technische Universiteit Eindhoven) Christiane Peters (Danmarks Tekniske

1.12k views • 89 slides
Cybercrime Threats and Future Dark Musings from a Professional Paranoid Alex Stamos, Partner

Cybercrime Threats and Future Dark Musings from a Professional Paranoid Alex Stamos, Partner

Cybercrime Threats and Future Dark Musings from a Professional Paranoid Alex Stamos, Partner March 31 st , 2009 https://www.isecpartners.com Our Discussion Today Where are we today? Notes from the security front Recent incidents

754 views • 44 slides
Security Basics - Lessons From a Paranoid Stuart Larsen Yahoo! Paranoids - Pentest

Security Basics - Lessons From a Paranoid Stuart Larsen Yahoo! Paranoids - Pentest

Security Basics - Lessons From a Paranoid Stuart Larsen Yahoo! Paranoids - Pentest Overview Threat Modeling - Common Web Vulnerabilities - Automated Tooling - Modern Attacks - whoami Threat Modeling Analyzing the security of an

558 views • 44 slides
BE PARANOID OR NOT TO BE ? Alize PENEL Linux and Android System Developer Dev Team Member

BE PARANOID OR NOT TO BE ? Alize PENEL Linux and Android System Developer Dev Team Member

BE PARANOID OR NOT TO BE ? Alize PENEL Linux and Android System Developer Dev Team Member Agenda 02 03 01 Network Security Internet socket in Aspects Permission in Android OS Marshmallow INTERNET PERMISSION IN MARSHMALLOW

584 views • 33 slides
Paranoid Habits Part 1: Security Tips Denis Rechkunov @pragmader / pragmader.me Whats this

Paranoid Habits Part 1: Security Tips Denis Rechkunov @pragmader / pragmader.me Whats this

Paranoid Habits Part 1: Security Tips Denis Rechkunov @pragmader / pragmader.me Whats this about? Topics: Authentication Phishing PGP SSH USB Networking Can I trust you, Denis? Trust no one,

531 views • 41 slides
Success breeds complacency. Complacency breeds failure. Only the paranoid survive. Andy Grove,

Success breeds complacency. Complacency breeds failure. Only the paranoid survive. Andy Grove,

Success breeds complacency. Complacency breeds failure. Only the paranoid survive. Andy Grove, former Intel CEO Success breeds complacency. Complacency breeds failure. Only the paranoid survive. Andy Grove, former Intel CEO Success breeds

1.78k views • 146 slides
Homework 5.4 Recall the following theorem from the overconfidence versus paranoia

Homework 5.4 Recall the following theorem from the overconfidence versus paranoia

Homework 5.4 Recall the following theorem from the overconfidence versus paranoia lecture: Theorem . In a zero-sum perfect-information game, both the paranoid and overconfident models will lead you to choose the same strategy s 1 *

860 views • 9 slides
with schizophrenia. Arkhipov Andrei Y. Kudryashov P. Nurbekov M. Strelets V.B. Maslennikova A.

with schizophrenia. Arkhipov Andrei Y. Kudryashov P. Nurbekov M. Strelets V.B. Maslennikova A.

Complex study of hallucinatory- paranoid syndrome in patients with schizophrenia. Arkhipov Andrei Y. Kudryashov P. Nurbekov M. Strelets V.B. Maslennikova A. Comprehensive research method Biochemistry Psycho- Anatomy Physiology

814 views • 28 slides
Agility Practices UNC COMP 523 October 7, 2020 Jeff Terrell 1 / 26 Announcements music:

Agility Practices UNC COMP 523 October 7, 2020 Jeff Terrell 1 / 26 Announcements music:

Agility Practices UNC COMP 523 October 7, 2020 Jeff Terrell 1 / 26 Announcements music: Paranoid Android (try 2) by Radiohead, who exhibit great musical agility IMO using Sakai for the quiz today reminder: if stressed, consider seeking help,

494 views • 26 slides
2019 Revaluation Schedule of Values, Standards, and Rules (SOV) Kenneth L Joyner, RES, AAS

2019 Revaluation Schedule of Values, Standards, and Rules (SOV) Kenneth L Joyner, RES, AAS

2019 Revaluation Schedule of Values, Standards, and Rules (SOV) Kenneth L Joyner, RES, AAS August 8, 2018 M e c k R e v a l . c o m Why are we here tonight? Beginning of the legal process set by NCGS 105-317 Tonight Required SOV

530 views • 16 slides
For internal circulation and training purposes only and subject to change without prior notice.

For internal circulation and training purposes only and subject to change without prior notice.

For internal circulation and training purposes only and subject to change without prior notice. Aviva will not be liable for completeness or accuracy of content, any loss, direct or indirect, arising from the use of this content. Any unauthorized

551 views • 43 slides
WA/ 2015/ 2216 Application under Section 73A to vary Condition 1 of Russets, Petworth Road. WA/

WA/ 2015/ 2216 Application under Section 73A to vary Condition 1 of Russets, Petworth Road. WA/

CHIDDINGFOLD PARISH COUNCIL M inutes of the Parish Council meeting held on Thursday 10 December 2015 at 7.45 pm in the Charles Watts Room of the Village Hall. Present: Cllr Richard Hogsflesh, Chairman (RH) Cllr Susie Forrest (SF) Cllr Tim

404 views • 6 slides
Agenda 1. Opening and welcome by chairman 2. Introduction to the VRCID initiative 3.

Agenda 1. Opening and welcome by chairman 2. Introduction to the VRCID initiative 3.

8/8/2011 Public Meeting 27 July 2011 Agenda 1. Opening and welcome by chairman 2. Introduction to the VRCID initiative 3. Presentation on the VRCID SRA 4. Questions 5. Closing 1 8/8/2011 Cape Argus 15 January 2010 page 3 Weekend Argus

313 views • 12 slides
STUDENT RESULTS and ARCHIVE MANAGEMENT SYSTEM iPAGE TECHNOLOGIES LTD.| www.sraams.com |

STUDENT RESULTS and ARCHIVE MANAGEMENT SYSTEM iPAGE TECHNOLOGIES LTD.| www.sraams.com |

STUDENT RESULTS and ARCHIVE MANAGEMENT SYSTEM iPAGE TECHNOLOGIES LTD.| www.sraams.com | 08036885585 | www.ipageng.com iPAGE TECHNOLOGIES LTD.| www.sraams.com | 08036885585 | www.ipageng.com WHAT IS SRaAMS ?

1.22k views • 32 slides
Voter Registration 2014 Maricopa County Community Network April 30 th , 2014 Topics Voter

Voter Registration 2014 Maricopa County Community Network April 30 th , 2014 Topics Voter

Voter Registration 2014 Maricopa County Community Network April 30 th , 2014 Topics Voter Registration Workshop for 2014 Updates on the 90-day Notice Cards Voter Registration Presentation 2014 Maricopa County Recorder Elections

1.06k views • 74 slides
KEY PERFORMANCE INDICATORS For Local School Boards KEY PERFORMANCE INDICATORS LEADING BY

KEY PERFORMANCE INDICATORS For Local School Boards KEY PERFORMANCE INDICATORS LEADING BY

USBA PRESENTS KEY PERFORMANCE INDICATORS For Local School Boards KEY PERFORMANCE INDICATORS LEADING BY EXAMPLE Building better boards by identifying Key Performance Indicators (KPIs) for highly effective boards. USBA has developed a new

585 views • 19 slides
Key Performance Indicators Proposed FY 2017 FY 2016 2016 YTD KPI CRITERIA FY 2017

Key Performance Indicators Proposed FY 2017 FY 2016 2016 YTD KPI CRITERIA FY 2017

Key Performance Indicators Proposed FY 2017 FY 2016 2016 YTD KPI CRITERIA FY 2017 TARGET TARGET (Aug) Ridership Bus Passengers per Greater than or Greater than or equal to Bus 21.8 Productivity Revenue Hour equal to 23.8

422 views • 9 slides

More recommend