Download - Class 5 Privacy Security
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 1/34
CPSC 101
Privacy and Security
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 2/34
Learning GoalsBy the end of this unit, you will be able to:
Define “computer security” in terms of the C-I-A principles
Explain how we uphold the C-I-A principles, and give examples of what that means in
simple administrative systems Lists the types of ways in which computer security can be compromised
List the risks associated with computers, and the vulnerabilities that have been identifiedhere
Describe the differences between viruses, trojans and worms. Describe goals and techniques of hackers and understand basic ways of dealing with
them.
Differentiate different online activities among associated risk (i.e. online banking is arelatively safe activity-- explain why)
Define encryption and the Caesar Cipher; translate an encoded message given a key usingthis cipher
Differentiate between black box and white box security and their relative merits.
Respect the danger; be responsible computer users! Explain why computer security is
important. Justify your behavior as a responsible computer user.
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 3/34
Defining Computer Security Computer and network security are built upon three general
principles (C-I-A):
Confidentiality
Data is kept hidden from all but those authorized to view it
Integrity
Data remains in the same state as it was left by the last authorized user; cannot
be corrupted either accidentally or maliciously
Availability
Data is accessible to authorized users as necessary, in a convenient format, and
without unreasonable delay
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 4/34
Defining Computer SecurityCentral to upholding the C-I-A are the following:
Identification
Who do you say you are?
Authentication
How do I know it’s really you?
Authorization Now that you are here, what are you allowed to do?
Accountability
Who did what? Who’s responsible? When did they do it?
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 5/34
Defining Computer SecurityExample, “keep-it-simple” administration:
Identification
Username
Authentication
Password
Authorization Accessibility restrictions
Accountability
Record major actions of the user in the previous 7 days
What is wrong with this? How do I break in?
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 6/34
Defining Computer SecurityExample, high-security administration:
Identification
Username
Authentication
Biometric reader (retina, finger print, voice analysis)
Password
Authorization
Accessibility restrictions
Accountability Record all actions taken by the user indefinitely.
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 7/34
Computer Security1. Write the names and student IDs of the 2-4 students
participating on one sheet of paper.
2. List 3 examples of computer security threats or issues.
3. List 2 ways of dealing with each type of threat.
4. Come up with a definition of “Computer Security”.
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 8/34
Computer Security BasicsMajor computer security issues:
Identity theft / Personal theft Viruses / Trojans / Worms
Spyware / Adware
National security Privacy concerns
Protecting our children
Hackers / Software crackers Spam / email fraud / spoofing
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 9/34
Types of Threats Unintentional threats:
Carelessness causes more problems than you might first imagine.
In general, more information is lost/compromised through acts of
carelessness than through acts of malice!
What are the major threats from carelessness?
Intentional threats:
The reality is the average user is not only incapable of mounting a
serious attack on a computer, but likely completely disinterested in
doing so.
Nonetheless, criminals and vandals who are capable and desirous do
exist.
Natural threats
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 10/34
Vulnerability
The onset of broadband-- rapid, personal Internet
connections-- has changed our risk factors
Now we have everyday users with computers at home, connected tothe Internet, and running 24/7
i.e. targets!
It is estimated that the between the initial set up of a computer andthe first attack is < 2 minutes!
This can happen before you have time to install countersoftware!
New computers can have viruses within minutes!
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 11/34
VulnerabilityTypes of vulnerability:
Physical
Theft, sabotage, vandalism of physical hardware
Locks, guards and biometrics can be put in place to reduce
Natural
Environmental threats (dust, humidity, temperature/power fluctuations),
natural threats (lightning, fires, floods), natural disasters (floods, earthquakes) Hardware/software vulnerabilities
Exploitation by hackers/crackers
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 12/34
VulnerabilityOther types of vulnerability:
Media
Lost/damaged backup media; “erasing data”; media degredation
Communication Intercepting data/messages (electronic eavesdroppers)
Humans!
What if your network admin decides on a life of crime? What if someone writes down a key password and loses it?
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 13/34
Vulnerability
That is, your system may be participating in illicit behaviour without
your knowledge.Examples include:
Distributed Denial of Service attacks (DDoS), where a target is bombarded with requests so as to overwhelm and disable the system
Email Relays where your system is used to relay spam or even
pornography-- such messages look like they come from you!
Illicit Website Hosting where your computer may be hosting web
sites that you’re not aware of.
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 14/34
Hacking / Cracking A word with lots of history. Some attempts have been made
to differentiate “hacking” from “cracking” by emphasizing that
hacking is non-destructive.
Overall, the key goals for hackers are to:
Gain unrestricted or root access and the installation of a back
door which provides easy future access to the system.
Search for valuable data like passwords, credit card numbers, or
important files.
Sometimes and, in the best case, simply entertainment.
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 15/34
Hacking / Cracking Techniques Dictionary Attack: beat a password by using a massive dictionary of the most
common passwords.
Port / File Scanning: identifying vulnerable programs that are listening to
network ports or files that have incorrect access controls and using them. Packet Sniffing: intercepting and reading network traffic and looking for
valuable data like passwords or credit card numbers.
Code Injection Attacks: sending a malformed message to a program that
causes actions that are unwanted. Shoulder surfing: finding passwords by literally watching people type them.
Password gathering: using passwords from one system to break into othersystems.
Default exploits: a technique for accessing a system by exploiting defaultpasswords that may be left unchanged.
Why am I teaching you this? (Hint: no, I’m not trying to make you ahacker)
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 16/34
“Viruses” Virus is a term that is often incorrectly used to describe
several varieties of malicious programs:
Virus: fairly uncommon in modern computing. True virusesare programs that spread through human intervention such as
infecting an USB drive or email. Commonly and incorrectly
used as a name for all malware programs. Trojan: a very common type of malware. Trojans are programs
that pretend to be another program.
Worm: another common type malware. Worms are malwareprograms that move automatically from computer to computer.
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 17/34
Privacy and Authentification: Email Email travels through several layers of systems in its journey
from sender to recipient
In theory, anyone with the right level of access and technical expertise
can read your email without you ever knowing
Email typically contains the address of the sender, however these
addresses can be forged
Ever receive spam that looks like it’s from someone you know?
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 18/34
Privacy and Authentification: EmailHow can we protect ourselves?
Emails with highly sensitive content simply should not be sent
Give credit card information over the phone during a call that
you place.
If you must send sensitive content, send an encrypted message
Thus, if it is intercepted, the perpetrator will see only an
encrypted message
What does both of these assume?
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 19/34
Privacy and AuthentificationHow can we protect ourselves?
Choose your passwords wisely!
Don’t use obvious words Don’t use single words
Intentionally misspell a word or use acronyms
Choose passwords at least 8 characters long
Mix upper and lower case
Add numbers, punctuation marks, or symbols
Don’t write your password down or tell anyone
Change your password regularly
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 20/34
Online banking, etc. What are our concerns?
How do we know when we are doing our online banking that
our data is really safe?
What do banks do to protect us?
Is our data safe even on our own computers?
Let’s take a look at how banks protect us (and themselves)...
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 21/34
Shh… It’s a secret! First, banks use something called 128-bit encryption
Encryption refers to a process of hiding data such that the
original information can only be recovered through thecorresponding decryption process.
The science of encryption-decryption is called cryptography
In general, the algorithms for these method are publicly available
Wait a second! Publically available? Wouldn’t it be better if thealgorithms were secret?
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 22/34
Black Box vs White Box Security Black box security: Information about the security
techniques are hidden to prevent vulnerabilities from being
detected. Problem: you are assuming that your information stays hidden.
White (or Clear) box security: Information about the
security is publically available.
If you are safe with white box security, your system is truly
secure since are not relying on information remaining secret.
White box security encourages examination and early detection
of threat by ethical hackers.
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 23/34
Shh… It’s a secret!If the cryptography algorithms are public, then how is our
data safe?
Through the use of a key
Sample key: 0001000 10101010 00101000 01101110
An encrypt. algorithm takes the original message and the key,
and uses the key to alter the original message based on the
contents of that key
Thus, even if you have the decryption algorithm, you cannot
decrypt a message without the key!
It’s the keys that must be top secret!
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 24/34
Caesar Cipher The Caesar Cipher is one of the earliest examples of
cryptography supposedly invented by Julius Caesar
A cipher is a means of transforming text in order to contain it’s meaning
Caesar would take the alphabet and shift it a certain number of
spaces
For example, if the shift was 3, then A would become D, B would be
E, etc.
The key was then the shift factor (how much you shifted)
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 25/34
Caesar CipherFor example, a shift-factor of 3 (key == 3) would change the
following message
THIS IS MY FAVOURITE CLASS!
to...
WKLV LV PB IDYRXULWH FODWW!
If we take out the punctuation and spaces...
WKLVLVPBIDYRXULWHFODWW
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 26/34
Back to online banking So how does the bank use this?
They use a key that is 128-bits long... that is...
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX... zeros and ones
This key is so powerful that it is currently the highest available
(legally) Stealing information encrypted at this level is virtually impossible
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 27/34
Virtually impossible?Well, unless you’re planning on living forever and have a lot of
time on your hands...
Consider this... using 128-bit keys: There are 2128 possible keys
That is, 340,282,366,920,938,463,463,374,607,431, 768,211,456 possible
combinations of ones and zeros If we assume we can test 60 keys a second, that’s
567,137,278,201,564,105,722,910,123,862,803,524 seconds
Or, 94,522,879,700,260,684,295,381,835,397,713,392 minutes Or, 1,575,381,328,337,678,071,589,697,256,628,556 hours
Or, 65,640,888,680,736,586,316,237,385,692,856 days
Or, 179,838,051,180,100,236,482,842,152,583 years
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 28/34
Wow, so it’s bullet proof right?Well, not exactly. The encryption itself is essentially impossible to
break...
..but what matters is where the security measures are being applied All of your data that is transferred over the Internet has to be secured
to this level
How can you be sure that the encryption technique is really so hardto break? Mathematical tricks have broken several previous
encryption techniques.
How can you tell if data is encrypted? Look for the padlock, orsimilar symbol indicating that all content sent to or from this site is
encrypted. Check the company for more information on what bit
encryption they use.
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 29/34
To make things even stronger… Encryption ensures that someone cannot break in or
intercept your banking data
Banks also use PINs (personal identification numbers) andpasswords
This means that someone can’t pretend to be you, without logging
in as you Here’s where good password choices are important
Companies through whom you may purchase or otherwise
provide banking information also use direct-modem connections
Direct connections that are not through the Internet
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 30/34
What’s a user to do?It’s a scary world out there, admittedly...
You need to worry about power failures, natural disasters, making
backups, worms, trojans, physical theft.
You need to worry about computer abuse and the unwittingly role
you may play if you do not adequately protect your computer.
If you are on a network, you must observe network security and
access restrictions.
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 31/34
What’s a user to do?Recognize your responsibility!
If you operate a computer of any kind then you share a responsibility
for computer security
Run virus software and keep it up-to-date
Run a firewall to protect your system from unwanted visitors, and
keep up-to-date
Practice responsible web surfing and email browsing
Never click on a link in an email unless you are sure of the
sender/source; if you’re not sure, email your friend and ask for
confirmation
Never respond to email phishing; this includes “unsubscribe”
requests!
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 32/34
What’s a user to doRecognize the real threats...
The likelihood of your data being stolen through an encryptedsite, such as a banking website, or online store, is extremelyslim
But first do your research and ensure that they have adequateencryption
Also check for the padlock before ever entering/submittingdata
Most data is compromised due to carelessness and irresponsible
computer users Ask yourself: is that you?
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 33/34
Summary
There are different levels of risks associated with
computers
We must understand those risks and our responsibilitieswith upholding computer security
There are many types of computer vulnerabilities, andmany ways to respond to each of those vulnerabilities
Still, many aspects of computing are safer than we may
initial think, such as online banking
8/4/2019 Class 5 Privacy Security
http://slidepdf.com/reader/full/class-5-privacy-security 34/34
Learning GoalsBy the end of this unit, you will be able to:
Define “computer security” in terms of the C-I-A principles
Explain how we uphold the C-I-A principles, and give examples of what that
means in simple administrative systems
Lists the types of ways in which computer security can be compromised
List the risks associated with computers, and the vulnerabilities that have
been identified here
Differentiate different online activities among associated risk (i.e. online
banking is a relatively safe activity-- explain why)
Define encryption and the Caesar Cipher; translate an encoded message given
a key using this cipher
Respect the danger; be responsible computer users! Explain why computer
security is important. Justify your behaviour as a responsible computer user.