LIS 525 - Security
Why Is Security Important?
- More difficult to recover than to prevent incidents
Some Types of Attack
- Using services provided by remote machines
(e.g., using zombie machines to distribute spam)
- Data theft (e.g., industrial espionage)
- Damage to data (e.g., criminal records, bank accounts)
- Denial of service
- Crashing remote site
- Flooding remote site with requests or mail messages
(mail bombs, spam)
- Distributing viruses, etc.
- Faking real sites (phishing).
Some Ways of Breaching Security
- Stealing passwords
or trying default passwords.
- Overflowing buffers
(often used on CGI scripts,
but also possible in many unexpected ways,
such as with PNG files on Web pages
or attached to e-mail).
- IP spoofing.
Sending messages with an IP address
indicating that the message is coming from a trusted port.
The hacker must first find an IP address of a trusted port
and then modify the packet headers.
Newer routers and firewalls can offer protection against IP
- DNS spoofing.
The intruder modifies a DNS server
to send an IP address of a trusted host.
- Domain name hijacking.
- Have a security policy
(who can do what when and how,
and procedures for changes
and for responding to breaches).
- Cryptographic protocols
- Restriction of access
- Limitation of number of services
- Limitation of number of users
- Physical security
(but not possible for Internet lines)
- Don't leave workstation unattended.
- Good passwords, changed frequently.
- Use an account with the lowest possible privileges.
- Control scripts.
- Write scripts conservatively;
don't pass input to the command line without parsing.
- Have others review scripts.
- Remove unused scripts.
- Change default server settings
- Back up.
- Use a firewall/proxy server.
- Use and check logs.
- Use sniffer tools.
- Use security mailing lists.
The combination of software, encryption technologies, and
that protects the security
of an organization's communications and transactions
on the Internet is referred to as the public-key
The leading service for PKI is Verisign.
For a summary, see
Secure Internet communication uses public key
in which each recipient has a secret private key
and a public key that is published.
The sender uses the recipient's public key to encrypt the
and the recipient uses the private key to decrypt the
128-bit encryption is currently considered so difficult
that it can be used to protect important data.
The leading security protocol for the Internet
is Netscape's SSL (Secure Sockets Layer).
SSL is included in the Transport Layer Security (TLS) protocol.
You can see something about your browser's SSL settings.
In Netscape Navigator,
look under "Privacy & Security"
in the "Preferences" dialog.
In Internet Explorer,
look under "Security" at the "Advanced" tab
in the "Internet Options" dialog.
click on "Advanced" in the "Options" dialog
and look under "Security".
click on "Security" in the "Preferences" dialog
and then click on the "Security Protocols..." button.
In addition to securing your own site and facilities against attack,
you should also avoid doing anything
that might compromise the security of your users.
if you ask users to register using their e-mail addresses,
this could leave them open to customized phishing attacks
based on hostile profiling:
in hostile profiling,
an attacking program tries logging in or registering
using a large number of possible e-mail addresses
and logs those attempts
that result in a response
indicating that the address is already registered.
For More Information
- Christiansen, T. 1999.
What's the Plural of 'Virus'?.
("The plural of virus is neither viri nor virii,
nor even vira nor virora.
It is quite simply viruses, irrespective of context.
- Evers, J. 2005.
Phishers get personal | Tech News on ZDNet.
(On hostile profiling.)
- Geist, M. 2007.
- The Unintended Consequences of Rogers' Packet Shaping
("Rogers ... one of the only ISPs in the world to simply degrade encrypted traffic").
- Gibson Research Corporation. 2006.
GRC | LeakTest -- How to Use Version 1.x.
(LeakTest is a simple benign utility
to test firewall protection on individual computers
by simulating the effect of Trojan horses, viruses,
that establish TCP connections with servers.)
- Gin, M. 2007.
Macromedia - How to design secure Web applications.
- Granger, S. 2001.
Social Engineering Fundamentals, Part I: Hacker Tactics.
- Lam, J. 2001.
"Secure your Web applications".
Ziff Davis Publishing Holdings.
(Basics of protecting against attackers' seeing
what visitors are seeing
or impersonating visitors or the Web site.)
- McMillan, R. 2006.
"Free Web Browser May Give You More Than You Asked For".
("Security firm Panda Software
says that Browsezilla secretly visits pornographic Web sites
if you use the browser.")
- Pro-Softnet. 2007.
IBackup - Online Backup,
Online Storage, Collaboration and Data Sharing.
(Example of a company offering remote backup services.)
- Real Internet Company. 2007.
"Credit Card Processing".
(An example of a local company
that handles credit card processing
on behalf of Internet-based retail clients.)
- Schmidt, C. 2006.
Page Hijack Exploit: 302, redirects and Google.
(How your listings on some search engines
can be hijacked by someone else
using the 302 "Moved Temporarily" response code
on their server,
with some actions you might be able to use to protect yourself.)
- Stein, L.D.; Stewart, J.N. 2002.
The WWW Security FAQ.
(Deals with a large number of security questions.)
Last updated October 31, 2007.
This page maintained by
Prof. Tim Craven
E-mail (text/plain only): email@example.com
Faculty of Information and
University of Western
Canada, N6A 5B7