LIS 525 - Security

Why Is Security Important?

• Reputation
• Money
• More difficult to recover than to prevent incidents

Some Types of Attack

• Using services provided by remote machines (e.g., using zombie machines to distribute spam)
• Data theft (e.g., industrial espionage)
• Damage to data (e.g., criminal records, bank accounts)
• Denial of service
  • Crashing remote site
  • Flooding remote site with requests or mail messages (mail bombs, spam)
• Distributing viruses, etc.
• Faking real sites (phishing).

Some Ways of Breaching Security

• Stealing passwords or trying default passwords.
• Overflowing buffers (often used on CGI scripts, but also possible in many unexpected ways, such as with PNG files on Web pages or attached to e-mail).
• IP spoofing. Sending messages with an IP address indicating that the message is coming from a trusted port. The hacker must first find an IP address of a trusted port and then modify the packet headers. Newer routers and firewalls can offer protection against IP spoofing.
• DNS spoofing. The intruder modifies a DNS server to send an IP address of a trusted host.
• Domain name hijacking.

Security Measures

• Have a security policy (who can do what when and how, and procedures for changes and for responding to breaches).
• Cryptographic protocols
• Restriction of access
• Limitation of number of services
• Limitation of number of users
• Physical security
  • Don't leave workstation unattended.
  (but not possible for Internet lines)
• Good passwords, changed frequently.
• Use an account with the lowest possible privileges.
• Control scripts.
  • Write scripts conservatively; don't pass input to the command line without parsing.
  • Have others review scripts.
  • Remove unused scripts.
• Change default server settings
• Back up.
• Use a firewall/proxy server.
• Use and check logs.
• Use sniffer tools.
• Use security mailing lists.

PKI

The leading service for PKI is Verisign. For a summary, see

• VeriSign. 2007. PKI Applications - Digital IDs and Digital Signatures from VeriSign, Inc.. http://www.verisign.com/products-services/security-services/pki/pki-application/index.html.

Secure Internet communication uses public key cryptography, in which each recipient has a secret private key and a public key that is published. The sender uses the recipient's public key to encrypt the message, and the recipient uses the private key to decrypt the message.

128-bit encryption is currently considered so difficult to break that it can be used to protect important data.

The leading security protocol for the Internet is Netscape's SSL (Secure Sockets Layer). SSL is included in the Transport Layer Security (TLS) protocol.

You can see something about your browser's SSL settings. In Netscape Navigator, look under "Privacy & Security" in the "Preferences" dialog. In Internet Explorer, look under "Security" at the "Advanced" tab in the "Internet Options" dialog. In Firefox, click on "Advanced" in the "Options" dialog and look under "Security". In Opera, click on "Security" in the "Preferences" dialog and then click on the "Security Protocols..." button.

User Security

For More Information

• Christiansen, T. 1999. What's the Plural of 'Virus'?. http://www.linuxmafia.com/~rick/faq/plural-of-virus.html. ("The plural of virus is neither viri nor virii, nor even vira nor virora. It is quite simply viruses, irrespective of context. Here's why.")
• Evers, J. 2005. Phishers get personal | Tech News on ZDNet. http://news.zdnet.com/2100-1009_22-5720672.html. (On hostile profiling.)
• Geist, M. 2007. Michael Geist - The Unintended Consequences of Rogers' Packet Shaping http://www.michaelgeist.ca/content/view/1859/. ("Rogers ... one of the only ISPs in the world to simply degrade encrypted traffic").
• Gibson Research Corporation. 2006. GRC | LeakTest -- How to Use Version 1.x. http://grc.com/lt/howtouse.htm. (LeakTest is a simple benign utility to test firewall protection on individual computers by simulating the effect of Trojan horses, viruses, and adware/spyware that establish TCP connections with servers.)
• Gin, M. 2007. Macromedia - How to design secure Web applications. Adobe Systems. http://www.macromedia.com/devnet/server_archive/articles/design_secure_webapps.html
• Granger, S. 2001. Social Engineering Fundamentals, Part I: Hacker Tactics. Security Focus. http://online.securityfocus.com/infocus/1527.
• Lam, J. 2001. "Secure your Web applications". PC Magazine. Ziff Davis Publishing Holdings. http://www.pcmag.com/article2/0,1759,34074,00.asp. (Basics of protecting against attackers' seeing what visitors are seeing or impersonating visitors or the Web site.)
• McMillan, R. 2006. "Free Web Browser May Give You More Than You Asked For". PC World. http://www.pcworld.com/news/article/0,aid,126226,00.asp. ("Security firm Panda Software says that Browsezilla secretly visits pornographic Web sites if you use the browser.")
• Pro-Softnet. 2007. IBackup - Online Backup, Online Storage, Collaboration and Data Sharing. http://www.ibackup.com/. (Example of a company offering remote backup services.)
• Real Internet Company. 2007. "Credit Card Processing". Internet Access. http://www.netcompanies.net/Ecommerce/credit.htm. (An example of a local company that handles credit card processing on behalf of Internet-based retail clients.)
• Schmidt, C. 2006. Page Hijack Exploit: 302, redirects and Google. http://clsc.net/research/google-302-page-hijack.htm. (How your listings on some search engines can be hijacked by someone else using the 302 "Moved Temporarily" response code on their server, with some actions you might be able to use to protect yourself.)
• Stein, L.D.; Stewart, J.N. 2002. The WWW Security FAQ. http://www.w3.org/Security/Faq/. (Deals with a large number of security questions.)

Home