ist 210 is “secure database” an oxymoron. ist 210 2 new technology we all demand more from our...
TRANSCRIPT
IST 210
Is “Secure Database” an Oxymoron
2
IST 210 New technology We all demand more from our technology Devices’ functions start to converge
PDA/Phone/Pager devices Networks are extending a DBMSs functionality This can have unintended, and often negative
consequences
3
IST 210 Bluetooth Becoming pervasive
Acura, BMW and Daimler-Chrysler vehicles Nokia, Sony-Ericsson and Motorola cell phones Laptops PDAs
The convenience and cool-factor are undeniable Lara Croft in Tomb Raider Wireless modems Wireless GPS modules Headsets and car phone kits
4
IST 210 Bluejacking or Bluesnarfing There’s a new sport - “Warnibbling” Using “Bluesnarf”, attackers can
Download your contact list Your last-dialed number list
Use your equipment without your knowledge or consent Wireless Internet access Outgoing phone calls Text messages
Bluejacking Anonymous text messages to your phone
5
IST 210 Wireless LANs
A whole new list of problems and threats Wireless LAN attacks
War Driving/War Flying (!) War Chalking
Other issues Drive-by spamming Drive-by worming Printer abuse VoIP over 802.11 Theft of data and more
6
IST 210 Attacking the WLANs War Driving and War Chalking
This is a concept that has recently gained much popularity
Hackers will “war walk” or “war drive” around an area
When they find a WLAN, they will make a chalk mark On a building or a sidewalk
This mark gives information about the WLAN found The diagram at right is a wallet card showing some
of the symbols and their meanings The objectives?
Free Internet access, mostly Corporate or entity LAN hacking, sometimes Stealing service – for example, hijacking someone’s
MAC address at Starbucks VoIP eavesdropping
7
IST 210 Drive-by Spamming New phenomenon Attackers equip a van with a toroidal antenna And a server farm Scout business districts and neighborhoods
looking for WLANs Once they find an open network, they connect
and look for a mail server Often, attackers dump upwards of 1,000,000
emails per day through corporate mail servers Drive-by Worming
8
IST 210
What kind of security is needed?
Layered security approach “Defense in depth” Separation of networks from one
another WLAN/Data/VoIP/Control System VLANs
Monitoring and management can help Clean up-front design Don’t put all your eggs in one basket
9
IST 210 Conclusion Cool tech can often lead to uncool
problems Opportunity is a matter of perspective Just because I’m paranoid… Be careful with your Bluetooth phone A combination of different methods
works best Nothing is 100% effective
10
IST 210
Security is like a lot of things ...
It can never be 100% effective.
It contributes nothing to the performance.
You can never be sure you actually need it at the time.
You don’t know whether it has worked until after the event – sometimes long after!
The only way to measure its effectiveness is in terms of its failures.
A combination of methods gives the greatest reduction in risk.
You should never rely on someone else’s precautions - to be certain, you have to take care of it yourself.