Computer and Data Security

Security has always been an issue in computing, primarily because the key assets are
informational, and not physical, hence data is more open to covert theft, and
communications are more open to being intercepted secretly – since data can be
replicated very simply while leaving the original intact.

Security is important for any system, but becomes increasingly important as the Web
spreads in scope (geographically and across areas of our life), and is used more and
more for value-based transactions.

Aspects of Computer and Data Security

Concept Ideal
Privacy Unauthorized parties cannot track what you are doing or who you
are talking to
Confidentiality Messages cannot be overheard by others
Integrity Messages can be guaranteed complete and not tampered with
Authentication Identity of sender and/or receiver can be guaranteed
Non-repudiation Neither party can deny that a transaction took place
Availability Unauthorized parties cannot disrupt or deny service

How People Hack

Computer hacking is a complex discipline and constantly changing. The table below
lists the common forms of attack that hackers would use to try to compromise security,
motivated commercially (e.g. industrial espionage) ethically/morally or more likely just
for the fun or challenge.

Method of Hacking Description

Performing a transaction while pretending to be someone
else

IP (Internet Protocol) addresses are the 4-part

addresses that are the unique identifiers of the Internet.
IP/DNS spoofing DNS (Domain Name Services) is the common function
that allows services to be performed by names (e.g.
www.amazon.com), which are then translated to IP
addresses (e.g. 100.253.73.4). IP/DNS spoofing refers
to hackers masquerading as a legitimate IP address/DNS
name in order to gain unauthorized access.
 Inserting a price of code that damages or simply floods a
computer, then replicates itself

This class of attack involves inserting a piece of damaging

code into a system. For clarity, viruses are codes that
damage the host system and replicate themselves.
Trojan horses are viruses hidden inside legitimate
programs. Logic bombs are viruses which lie dormant,
triggered by specific logical conditions e.g. the system
Viruses, Trojan horses, date reaching a specific date, like Da Vinci’s birthday.
logic bombs and worms
Finally, worms replicate, but do not damage the system.
Worms damage a network’s functionality by flooding the
communications bandwidth with their replication needs.
Note that all of the types of attack, like real biological
viruses, are difficult to stop, as they have no master
computer or process, but are genuinely distributed. A
further difficulty is that viruses mutate over time, making
simple patter matching techniques ineffective in catching
them.
Flooding a server with packets to prevent genuine users
from accessing services

Denial of service This refers to an attack which, like vandalism, is focused

not on gaining unauthorized access, but
damaging/occupying a system such that authorized users
lose access, as the system is so busy fighting off attacks.
Listening to all packets on a network

This refers to illegally listening to every packet of

information on a network (whoever it is intended for), then
taking the information away to decrypt or use later.
Vulnerability to sniffing is an inevitable downside of a
packet-based network, where most information is passed
Sniffing
to many network nodes. Sniffing normally requires
physical access to the network.

With the advent of wireless networking, sniffing becomes

particularly scary, as it may be possible from outside the
building or even from a passing vehicle (dubbed as drive-
by hacking).
Replay attack Capturing then replaying genuine transactions

Even if hackers are unable to decrypt a transaction, they

may be able to capture packets, work out who they were
sent from and to, then resend them one or more items.
Similar to denial of service, this is more of a vandal’s
approach than an approach useful for gaining information.
Man-in-the-middle Sitting between two parties, replicating the conversation
between them, capturing all packets.

A man in the middle attach occurs where the hackers

manage to get their computer between two legitimate
parties, and replicates all the packets going both ways,
while capturing them for later analysis. This approach
facilitates both sniffing and replay attacks.

Security Enforcement
Tools for Security Management

1. Authentication mechanisms. These technologies allow the user to identify who

they are. There are four classes of mechanism currently available. Passwords
and challenges represent the user typing in a secret code to identify himself or
herself. (Challenges are slightly more sophisticated than passwords, generally
asking a question from a predetermined set, e.g. What is your mother’s maiden
name?) Tokens and smartcards are physical objects that the user must
possess e.g. dongles that plug into the back of the computer, or smartcards that
are swiped through a card reader. Digital certificates are the online equivalent
of a signature held by a certification authority (CA) online. One example of this is
the company Verisign. Finally, biometrics refers to techniques that use some
aspect of the user’s physical person to identify that person. Currently available
biometric technologies include fingerprints, handprints, voice authentication, iris
recognition and face recognition. Needless to say, as many of the above
techniques as desired can be used together to further thwart an attacker.

2. Encryption. Encryption refers to techniques to render a message meaningless

if intercepted by an unauthorized party. Encryption has a much longer history
than computing and was used in ancient wars e.g. by the Romans.
Conventioanlly, encryption required a shared secret or password, knoen only to
the sender and receiver, agreed between them in some secure place. This
presented a problem in the e-commerce world, as there is no way for e.g. a
consumer in China, to buy a report from a US company online, with a shared
secret. Hence, an innovative technique called the Public Key Infrastructure
(PKI), was invented.
3. Firewalls. Firewalls are a method of keeping unwanted users out of a network,
restricting access for some users coming in and also restricting access out from
the inside. Networks are split into three broad zones: intranets, DMS and the
Internet. Defense Messaging System (DMS) is an X.500-compliant messaging
system developed by the U.S. Dept. of Defense. It is used by all the branches of
the armed forces as well as federal agencies involved with security.

Users going from one of these zones to another are treated differently from each
other. Further, most firewalls are able to do more granular controls, e.g. specific
users (IP addresses can be limited to accessing specific services. Note that a
firewall can be a separate, special purpose box, or it can be a software run of a
general purpose computer. Typically, the separate box approach is viewed as
more secure, as it makes the firewall itself less vulnerable to attack. All major
networking vendors, such as Cisco, Lucent and 3Com have firewall offerings,
typically OEM from specialist firewall makers such as Checkpoint and Sonic.

Original Equipment Manufacturer (OEM) is the rebranding of equipment and

selling it. The term initially referred to the company that made the products (the
"original" manufacturer), but eventually became widely used to refer to the
organization that buys the products and resells them. However, the OEM reseller
is often the designer of the equipment, which is made to order.

4. Intrusion detection. Intrusion detection functions are often used to complement

firewalls, looking for specific known hacking behaviors and automatically locking
users out when they are identified. As with firewalls, this functionality can be
achieved in a specialized piece of hardware, or as software on a general purpose
computer.

5. Proxy servers. Using a proxy server means that all the transactions with a
particular service go through a first server, pretending to be that service. This
first server is a computer, stripped down to ensure it has no security holes, which
accepts requests, screens them, then, passes them on if appropriate. Because
prosy servers are general purpose computers, they can run arbitrarily complex
software to check incoming and outgoing requests, including sophisticated
firewall and intrusion detection software. Note that, as well as performing
security functions, proxy servers can help with performance, through caching and
load balancing. Also, note that proxy servers can be an effective solution to
denial-of-service attacks, as bogus packets are kept clear or the real servers.

6. Security consultants. One can use security consultants to perform security

audits on the system, noting any issues found, and recommending and/or
implementing solutions. There are many tools available to help audits, a notable
one being SATAN (a notorious tool that allows a hacker or security consultant to
check quickly if known security weaknesses have been plugged or not. More
recently, consultants have adopted an ethical hacking approach, where security
 consultants (often ex-hackers) try to hack the clients’ system within pre-agreed
limits and report the results.

Security Technology Standards

There are a plethora of technologies used to create secure Internet transactions. They
are:

1. ISO 17799/BS 17799. Previously a British Standard Institute standard, now

becoming an International Standards Organization (ISO) standard, ISO 17799 is
intended to be a comprehensive approach to security for an organization, and
includes ten components:
a. Security policy
b. Security organization (meaning the team responsible for security)
c. Asset classification and control
d. Personnel security
e. Physical and environmental security
f. Communications and operations security
g. Access control
h. Systems development and maintenance
i. Business community management
j. Audit and compliance

2. PKI or Public Key Infrastructure. It is a method which allows the encrypting of

information without prior exchange of secret information (i.e. password). In a
way, it seems nonsensical that such a thing is possible. It uses a technique such
that everybody knows how to write a message, but no one knows how to read
one. This is done using non-reversible functions, called modulo or remainder.
The PKI generates a matching pair of encode and decode functions, using very
large prime numbers and the remainder function. The encode (or public) key is
shared with the world; the decode (or private) key is kept only the by receiver.

At present, it is too computationally intensive to hack the PKI where they key size
is large, so it is the safest mechanism for e-commerce confidentiality, and is now
commonly used. PKI is, however, a little computationally intensive to use, hence,
in general, it is used at the start of the session to share unique passwords. Which
are then used for the duration of the session.

PKI is also known as asymmetric encryption, whereas password-based

encryption may be called symmetric.

3. HTTPS. HTTP is the session layer protocol that manages a Web session.
HTTPs is a secure version of HTTP, embedding a Secure Socket layer (SSL).
SSL includes PKI encryption. Note that a newer version of SSL is called TLS
 (Transport Layer Security). For HTTPS to work, clearly the computers at both
ends must support it.

4. PGP. Pretty Good Privacy is a public domain encryption utility that can be used
with e-mail clients, such as MS Outlook or Lotus Notes, or embedded in a
custom program.

5. IPSec. It is a comprehensive, low-level, security standard being embedded in

Internet products.

6. Radius. It is a standard for centralized management of users’ passwords.

7. DES/3DES. DES is a symmetric standard that was sued for many years in US
military applications, and thus the export or hardware or software containing DES
algorithms was limited. 3DES or triple DES refers to the application of three DES
transformations, in order to make a message more confidential. In general, DES
is currently regarded by the hacking community as a little weak.

8. SET. Secure Electronic Trading is a standard for secure credit card transactions
developed by a consortium of Visa, Mastercard, Microsoft, and Netscape using
digital certificates. SET is a fairly heavy standard in terms of processing
requirements and has received some resistance from the industry.

9. VPNs. Virtual Private Networks are used to tunnel securely across the Internet,
to facilitate private WAN connection through the Internet, or remote LAN access
for an individual user. Standards for VPN include PPTP and L2TP. IPSEC also
contains a VPN standard.

10. Digital Certificates. Digital certificates are a form of authentication technique,

which are more or less the online equivalent of a signature. After creating a
digital certificate, you store it with a certification authority (CA). Companies such
as Entrust and Verisign are CAs. Counterparts in online transactions can then
confirm your identity.

Interestingly, digital certificates use PKI technology in reverse. In PKI encryption,

everyone knows how to write a message to you. But only you know how to read
it. For digital certificates, only you know how to write your signature but everyone
can read it.

X.509 is the predominant standard for digital certificates.