Monday, October 12, 2009

Week 8 of Lecture


Venue : BK7, Building FTMK.
Date : 7 - 10 -2009
Time : 9.00 a.m. – 10.50 a.m.

Week 8, it’s already week 8, many assignments and projects to deal with, however we still need to attend lecture also. This is gonna be a busy month for us. Well, the lecture for this week was basically the continuation of last week’s lecture on the topic “Security in Networks” and a totally new chapter about “Security in Applications”.
Mr. Zaki started with the topic called Networks Security Control. The table below shows the summary of this topic:


Type of network security controlExplanation
Encryption
  • Link to Link
    • Cover layer 1 and 2 OSL model.
    • Decryption happens when entering receiving of the computer.
  • End to End
    • Provide security in layer 6 or 7.
    • Protect data in every layer.
Strong Authentication
  • one entity proves its identity to another by demonstrating knowledge of a secret known to be associated with that entity
  • Use cryptographic mechanisms to protect messages in protocol encryption, integrity mechanism and digital signature.
IPSec, VPN, SSH
  • IPSec – define standards means for handling encrypted data. It is implemented at IP layer and it provides AH and ESP.
  • SSH - Secure remote login (encrypt data send over the network)
  • SSL – It is to encrypt data over the transport layer. It serves as interface between applications and the TCP/PIP protocols to provide server authentication, optional client authentication and an encrypted communications channel between client and server.
KerberosBased on the idea that a central server provides authentication tokens, called tickets, to requesting applications.
Firewall It is a network security device designed to restrict access to resources according to a security policy.
Intrusion Detection SystemIt is a device or software tools or hardware tools that monitor activity to identify malicious or suspicious events
Intrusion Prevention SystemNetwork security device that monitors network and system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities
HoneypotIt is a decoy systems that are designed to lure a potential attacker away from critical systems

After that, Mr Zaki taught us about hacking under the topic “Hacking and Prevention”. The examples of 5 hacking phases are reconaisance, scanning, gaining access, maintaining access and covering track. The examples of hacking behaviors are:

  • select target using IP lookup tools


  • map network for accessible services


  • identify potentially vulnerable services


  • brute force (guess) passwords


  • install remote administration tool


  • wait for admin to log on and capture password


  • use password to access remainder of network

Finally, Mr. Zaki taught us the new topic known as “Security in Applications”. To understand this chapter, we have to know the securities in Email and Web. The securities in Email are SMIME and PGP; while the securities in Web are SSL, SSH, SET, HTTPS and SFTP. The securities are basically the protocols that we have learnt before in other subjects in the previous semesters. The diagram below shows the way Email works:


I have learnt something quite interesting, initially email cannot carry non-text content until MIME was invented. So, the lecture ended sharp at 11a.m. Again, Mr. Zaki reminded us again about the mid term exam tomorrow, I was worrying… … :(
Posted by at No comments:

Sunday, October 4, 2009

Lab 7

Venue : Makmal Sistem, Building FTMK.
Date : 10-9-2009
Time : 10.00 a.m. – 11.50 a.m.

The lab session is getting more interesting, it was about Security in Network this week. Mr. Zaki has proven to us the weaknesses of TELNET and FTP as he promised us during the lecture several weeks ago before Raya Holidays. The trick to prove it is by capturing the packets sent between client and server using a networking tool called “Wireshark”. Once again we were using virtual machine (VM Ware) in this lab session. First, we need to open two Windows Server 2003 simultaneously in VM Ware where the first one would serve as Server; and the second one would serve as Window. Both Widows were set with different IP address, for example I have use 192.168.1.1 for server and 192.168.1.2 for the client side.
As usual, the connectivity between them were tested by using the “Ping” command, if they are successfully to Ping each other we could proceed to the next steps. Now, install and run the Wireshark on the server side. After that we can try to TELNET the server from client. Surprisingly, Wireshark captured the password used to TELNET. Then, we tried also for FTP, Wireshark captured the username and the password used for FTP as well. So in this lab, we were taught on how to overcome the problem of unsecured in FTP by applying IPSec. IPSec is one of the solutions to safeguard the transmission of data over FTP from being seen by an unauthorized user. The data will be encrypted by IP Sec before they are sent using FTP. Throughout this lab I have learnt the lesson on not to use TELNET if possible because it is really not secured at all. On the other hand, IP Sec has to be implemented if one wants to use FTP service to ensure that all data are encrypted before sent. Before the lab session ended, Mr. Zaki reminded us that we need to pass up the lab report by next week, it’s gonna be a busy week for me as there are tones of assignment waiting for me… …
Posted by at No comments:

Authentication & Access Control


Venue : BK7, Building FTMK.
Date : 30-9-2009
Time : 9.00 a.m. – 10.50 a.m.

Same time, same location for today’s lecture to happen and it was once again conducted by our lovely lecturer, Mr. Zaki. Mr. Zaki has covered two chapters (Chapter 5 and half of Chapter 6) for the lecture this week. Chapter 5 was mainly about “Authentication & Access Control”. Authentication is the word that I used to hear for nearly three years since the day I learn subject related to networking. Sad to say that, I was not so clear about this important term in networking until this week, that was so disgraceful!!!
Basically AUTHENTCATION is the verification of identity of someone who generated some data. There are four classifications of identity verification:


  1. By something known e.g. password
  2. By something possessed e.g. Identity Card, passport…
  3. By physical characteristics e.g. iris, retina, finger print…
  4. By a result of involuntary action e.g. signature, typing style…

Next title was about password. In this topic we were exposed to some of the calculations regarding on password, below are some of the formulae to be used for calculation:

  • Password population, N = rs


  • Probability of guessing a password = 1/N


  • Probability of success, P = nt/N

Example, steps to calculate the time needed to get the right password are shown as below:


Information given,
Possibility of combinations for the password can be alphabets from a-z and numbers from 0-9.
So,
r = 36 (26 for alphabets + 10 for numbers);
length of password, s = 5;
capability of computer, n = 400MIBPS;

N = 365
P = nt/N
therefore, 1=365t/400
t = 151165.44 s.


The techniques or tips for guessing passwords are:

  • Try default passwords.


  • Try all short words.


  • Try all the words in electronic dictionary.


  • Collect information about the user’s hobbies, family names, birthday, etc.


  • Try user’s phone number, social security number, street address, etc.


  • Use Trojan horse.


  • Tap the line between the host system.

There are a few password selecting strategies; they are user education, computer-generated passwords, reactive password checking and proactive password checking. The next interesting topic is Biometric. It is referred to technologies for measuring and analysing human body characteristics for authentication purposes. There are two methods for biometric, they are:
  • Static – authentication based on a feature that is always present. For example: finger recognition, retinal scan, Iris scan, hand geometry and etc.


  • Dynamic – authentication based on a certain behaviour pattern. For example: Signature recognition, Speaker recognition, Keystroke dynamics and etc.

The last topic for this chapter is about Access Control. It is the prevention of unauthorised use of a resource, including the prevention of use of a resource in an authorised manner. There are three elements for access control:
  • Subject – it is the entity that can access objects and usually has 3 classes: owner, group and world.


  • Object – access controlled resource such as files, directories, records, programs and etc.


  • Access right – It is the ways which subject accesses an object such as read, write, execute, delete, create and search.

Another title that we must know for this topic is Access Control Matrix which is and abstract, formal security model of protection state in computer system, that characterises the rights of each subject with respect to every object in the system. Basically it is a table in which each row represents a subject, each column represents and object and each entry is the set of access rights for that subject to that object.

After that, Mr Zaki gave us a very brief summary about Chapter 6. It was all about Security in Networks. Mr Zaki skipped the first part for this chapter first because it is about the basic knowledge that we have learnt before in other subject related to networking. Mr Zaki emphasised on the topic Network Security Control. The titles covered for this topic are:
  • Encryption.


  • Strong Authentication.


  • IPSec, VPN, SSH.


  • Kerberos.


  • Firewall – Mr. Zaki described it as road block.


  • Instrusion Detection System (IDS) – Mr. Zaki described it as speed trap.


  • Instrusion Prevention System (IPS) – Combination of firewall and IDS.

Before the lecture ended, Mr. Zaki reminded us that there will be a mid-term exam next week. Oh my god, I think I need to study hard in this coming weekend so that I know how to answer for the exam… … gambateh for myself ^^
Posted by at No comments:

Monday, September 21, 2009

Lab 6

Venue : Makmal Sistem, Building FTMK.
Date : 10-9-2009
Time : 10.00 a.m. – 11.50 a.m.



After studying networking for almost three years finally I have the chance to get exposed to the topic related to hacking. To me hacking is a cool stuff and full of mystery sometimes. It allows people to bypass a network security without authority rights. As what I have known so far, hacking are characterised into two main types, they are white hat hacking (for good purposes only) and black hat hacking (for bad purposes). The title for the lab session this week was web application security.
Basically, we were using two tools to complete the tasks in this lab – WebGoat and WebScarab. WebGoat is a simulation toolkit used to demonstrate how we can exploit the vulnerabilities of a poorly design web application; while WebScarab is a tool designed for people who needs to expose to the workings of HTTP/ HTTPS based application. It is whether to allow the developer to debug for difficult problems or to allow the security specialist to identify vulnerabilities in the application.
After finished setup and configuring WebGoat and WebScarab, we started to do the tasks in the lab module. Basically, there were three tasks in the lab module. The tasks were about the top three web vulnerabilities based on OWASP – Cross site scripting (XSS), injection flaws and malicious file execution. XSS happens when a web application accept any input and sends it to a web browser without encoding the content.
Injection flaw like SQL injection will cause web application to run an SQL code that was not the intention of the application. The attacker might manipulate the SQL statement to perform the injection. The SQL query below is one of the examples that can be applied in PHP:
$sql = "SELECT * FROM table user WHERE id = '" .$_REQUEST['id'] . "'";

The attacker can manipulate the statement by adding ‘OR1=1 -- or OR ‘1'=’1’ --. It will return all the data from the table named user.

Finally, the last task was about Malicious File Execution. It is the web application vulnerabilities caused by failing to control application input. The lab this week was indeed very interesting, although we just practised it using simulation tool, if it is happened in real life, I guess it would not be so interesting any more. It makes me think that the web application was not very safe after all, who knows one of my accounts like facebook, Friendster, email and so on has been hacked before? If one day I want to become a hacker, I would go for white hat hacker for sure.
Posted by at No comments:

Program Security

Venue : BK7, Building FTMK.
Date : 9-9-2009
Time : 9.00 a.m. – 10.50 a.m.

The lecture for this week was about Program Security. Throughout this lecture, I have learnt several important facts about the security of a program such as the non-malicious errors, malicious code, control against the threats and so on. Basically, there are three types of non-malicious program error, and they are the buffer overflows, incomplete mediation – data exposed or uncontrolled and time of check to time of use. I would like to show some examples and give some brief explanations for each type of the non-malicious errors:

Types of error

Example/ Explanation

Buffer Overflows

Example: In C programming, instead of using strcpy(des, src), it would be better if we use strncpy(des, src, n).

Explanation: To copy a string from a source to its destination, the case for buffer overflow will occur if the array size for destination is smaller than the array size for its source. For instance:
src[10];
des[9];

The error will occur if we copy the whole string by using the coding strcpy(des, src). We can avoid the error by not copying the whole string, but just copying the string partially by using the coding strncpy(des, src, n). For example, strncpy(des, src, 7), where n = 7. In this case, we are copying the seven alphabets from the source (size = 10), to its destination (src = 9), so the buffer overflows can be prevented.

Incomplete Mediation

Example: The link below shows the use of get method in web application development:-
http://www.testing.com/order.asp?cutID=115&part=666&qty=3&price=500&total=1500

Explanation: One of the disadvantages of get method is that it exposes too many values for data in the link. The values are to be passed to the databases or as the reference for the next targeted webpage. Just imagine, if the values are being changed by the user before they are passed and stored into databases, what are the possible consequences? To make everything clear, I would like to use the link above to explain. If the user changes the values of price and total to zero, he or she can purchase the item for free, does it make sense? So, it would be better if we use the post method to avoid the data to be exposed in a link.

Time of check to time of use

It is basically the process of executing the instruction. It would process all the data rather than putting them on clipboard.


Next, I have learnt about the Malicious Programs. The table below shows the examples of malicious codes and some of their descriptions:

Type of malicious codeExplanation
TrojanA program which performs a useful function but also performs an unexpected action.
VirusA code segment which replicates by attaching copies to existing executables.
WormA program which replicates itself and causes execution of the new copy.
BacteriaReplicates until it fills all disk space, or CPU cycles.
Logic BombMalicious code that actives on an event.
Trap doorUndocumented entry point written into code for debugging that can allow unwanted user.

For the trap door type, Mr Zaki told us about a real life story related to it – “The Salami Attack”. It was very interesting. The story is about a guy named Salami, who was once a programmer for a bank. He came out with a brilliant idea to make money through the program he wrote. He transferred the third decimal place of the value for every transaction to its own bank account through the coding he wrote. As I said just now, he was very brilliant because nobody would notice the third decimal place of a currency as the value is too small and very hard to be traced. However, no one in this world can escape from the punishment after committing a crime, he was caught for whatever he had done. People started to notice and investigate it when he bought houses, branded cars and so on using cash.
Finally, the lecture was end with the pillars of software security. Three of the pillars of software security are risk management, touchpoints and knowledge.

Posted by at 1 comment:

Lab 5

Venue : Makmal Sistem, Building FTMK.
Date : 27-8-2009
Time : 10.00 a.m. – 11.50 a.m.


The title for the lab session this week was Modern Cryptography (extended version). It continued from last week’s lab session actually. So after learning the RSA algorithm last week, this week we have learnt about DES algorithm. DES is a topic that we have learnt during the lecture last week; the difference is that we got to do DES practically this week.
After that, we were asked to do the review question. Luckily, Mr. Zaki guided us to do that, if not everyone will be fainted. We used Microsoft Office Excel to do the task and it was quite fun although the task is very complicated and quite frustrated sometimes. Before the lab session ended, Mr. Zaki told us for those who are interested in doing Final Year Project on this topic; we can let him know next semester. Developing an application to perform DES by using C++, vb .net or Java, sounds cool to me, I will consider it wisely… …
Posted by at No comments:

Modern Cryptography – Part 2

Venue : BK7, Building FTMK.
Date : 26-8-2009
Time : 9.00 a.m. – 10.50 a.m.

The lecture just now began with a brief re-cap for the topic DES which we have learnt last week. Soon after that, the lecture continued with the topic Message Authentication. Message Authentication can be used to protect against active attacks. The diagram below show how it actually works:

Next, Mr. Zaki taught us about the Hash Function. There are three methods for has function:

  • Using conventional encryption

  • Using public-key encryption

  • Using secret value

The three algorithms used in hashing function are MD5, SHA-1 and SHA-256.Then, we learned about digital signatures. It is the provision of a means of settling disputes between sender and receiver that distinguishes the digital signature mechanism from the MACing process. The diagram below shows how digital signature works:

To create a digital signature using RSA:

The signature can be verified by anyone who knows the corresponding public key. Certification Authority (CA) is the next topic of this chapter. CA’s aim it to guarantee the authenticity of public key by signing a certificate containing user’s identity and public key with its secret key. In order to do so, all users must have an authentic copy of the Certification Authority’s public key. The lectures continued with the topic Key Management, the diagram below depicts the life cycle of a key:

The last two topics for today’s lecture ware RSA which was learnt during the lab session last week and methods of attacks. The four general attacks against encrypted information are:

  • Ciphertext-only attack

  • Known Plaintext

  • Chosen-plaintext

  • Chosen-ciphertext attack

Then the attacks that can be launched against encryption systems are:

  • Brute-Force attack

    • Exhaustive key search - trying every possible combination.

  • Replay attacks

    • Taking encrypted information and playing it back at a later point in time.

  • Man-in-the-middle attacks

  • Fault in Cryptosytem
Posted by at 1 comment:
Subscribe to: Posts (Atom)