Mister Disagree

Lecture 9: Intrusion Detection System


Intruders
- Significant issue hostile/unwanted trespass - from benign to serious
- User trespass - unauthorized logon, privilege abuse
- Software trespass - virus, worm, or trojan horse
- Classes of intruders: - masquerader, misfeasor, clandestine user

-Security Intrusion & Detection

Security Intrusion - a security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.

Intrusion Detection - a security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of attempts to access system resources in an unauthorized manner.


Hackers
1. motivated by thrill of access and status
2. benign intruders might be tolerable
3. IDS / IPS / VPNs can help counter

Intrusion Detection Systems
- Classify intrusion detection systems (IDSs) as:
1. Host-based IDS: monitor single host activity
2. Network-based IDS: monitor network traffic

- Logical components:
1. sensors - collect data
2. analyzers - determine if intrusion has
3. occurred
4. user interface - manage / direct / view IDS

IDS Principles
- assume intruder behavior differs from
- legitimate users
- from past history

IDS Requirements
- run continually
- be fault tolerant
- resist subversion
- impose a minimal overhead on system
- configured according to system security policies
- adapt to changes in systems and users
- scale to monitor large numbers of systems
- provide graceful degradation of service
- allow dynamic reconfiguration

Types of IDS
1. Host IDS
2. Network IDS
3. Distributed IDS

Intrusion Detection Techniques
- signature detection
- anomaly detection
- when potential violation detected sensor sends an alert and logs information

Anomaly Detection
- threshold detection
◦ checks excessive event occurrences over time
◦ alone a crude and ineffective intruder detector
◦ must determine both thresholds and time intervals

Signature Detection - observe events on system and applying a set of rules to decide if intruder

Honeypot
• are decoy systems
– filled with fabricated info
– instrumented with monitors / event loggers
– divert and hold attacker to collect activity info
– without exposing production systems
• initially were single systems
• more recently are/emulate entire networks



Lecture 10: Legal and Ethical Issues in Computer Security

Legal & Ethical
- Law
- a rule of conduct or action prescribed or formally recognized as binding or enforced by a controlling authority
- implies imposition by a sovereign authority and the obligation of obedience on the part of all subject to that authority
- Ethics
- a set of moral principles or values
- the principles of conduct governing an individual or a group
- an objectively defined standard of right and wrong

Categories of Law
- Civil law
- Criminal law
- Tort law

Categories of unethical and illegal behavior:
- Ignorance
- Accident
- Intent

Ethics Concept
- Ethical Differences Across Cultures
- Software License Infringement
- Illicit Use
- Misuse of Corporate Resources
- Ethics and Education
- Deterrence to Unethical and Illegal Behavior

Computer Crime
- A computer can be :
- attacked
- used to attack
- used as a means to commit crime

HACKING THE WIRELESS NETWORK


Tools: Backtrack 2 software
Victim: Wireless AP

Backtrack

BackTrack is a Linux distribution distributed as a Live CD which is used for penetration testing. It allows the user to include customizable scripts, additional tools and configurable kernels in personalized distributions.

Step 1: Download backtrack 2

Step 2: Installing Backtrack

Step 3: Starting backtrack

1. Start the virtual machine
2. Partition and mount the hard drive
The virtual SCSI hard drive in VMware is usually /dev/sda. We need to partition this drive and create a filesystem on which Backtrack 2 can be installed.
We will use fdisk to create 2 partitions - one for the filesystem and one for swap space.
fdisk /dev/sda
Enter each line below into fdisk’s prompt:

n
p
1

+7168M
n
p
2


W

* This will create a 7GB partition for the filesystem and a 1GB swap space. If you want more space on the filesystem (or if you made your virtual disk larger than 8GB), you can change +7168M to another number (in megabytes).

3. Create an ext3 filesystem on the first partition:
mkfs.ext3 /dev/sda1
4. Create swap space on the other:
mkswap /dev/sda2
5. Mount the drive:
mkdir /mnt/backtrack
mount /dev/sda1 /mnt/backtrack

6. Run startx to boot up KDE

7. Use the Backtrack installer
Start > System > Backtrack Installer
Leave the source blank
Install backtrack to: /mnt/backtrack
Write MBR to: /dev/sda
Select Real (2700 MB required) for the installation method
Click install. It could take awhile or hang at certain parts (seems to hang for awhile at 81% on my machine).

CHAPTER 5 (cont.)

* Who cause sequrity problem - Hacker, spy, student, businessman, ex - employee, terrorist

Network security problem area:
1. Authentication - hacker want to be an autheriza user, so they am this first.
2. Secracy - In the midle between sender and receiver.
3. Non- repudiation - deal with digital signature.
4. Integrity - Ensure that only authorize user allow to change the data.

Disadvantages of computing network
1. Sharing.
2. Complexity.
3. Unknown paramenter - alot of point on the network that possible to exploite to capture packet.
4. Ananomity - For a big network,we dont even know who at the other point. eg: some one may hack the DNS server before take over the website.
5. Sequrity exposure - Privacy, data integrity, authenticity, convert channel, impersonaty and evesdropping.

Theaten Network
1. Denial Of Service - DOS, DDOS
2. Packet replay - Capture packet that being sent to the AP that using WEP, but it use a lot of time so we use packet replay to dacoy the AP while sniffing the packet without change that packet's content.
3. Packet notification - capture and change the packet's content.

Network security control
1. Encryption
2. Strong authentication
3. IPSec, VPN, SSH
4. Karberos
5. Firewall (act as a roadbloack)
6. IDS (act as speedtrap)
7. IPS (act as grill)
8. Honeypot

Encryption
1. link to link
- cover layer 1 & 2 attack
- use switch layer 3 to prevent it
2. end to end
- Use application to encrypt send packet


IPSec
- Authentication & encapsulation
- Work on layer 3
- Only can be decrypt on the receiver side

SSL
- Combining of symmetric (on client host)and asymmetric (on server)algorithm

Karberos
- 1 server use to provide control authentication called as Karberos server
- Host need to have a ticket before able to send a packet to any server, 1 authentication server use to control the ticket.
-The ticket characteristic is unique, encrypted and have a life time period, since the life time is over the limit, client should request the new one before able to communicate to other server.

Firewall
- Differentiate the user whether it inside or outside the network.
- Basically hacker use the alternative way or tunneling to pass the firewall.
- Once the hacker already inside the network, firewall cant do anything.

IDS
- Capture packet and compare with the rule of IDS that installed and stored in database. If detect the malicious packet, an alert will be sent to admin so an admin can go to firewall device to block that particular packet.
- Based on attitude of admin and rule, admin must update the rule constantly so it would be still relevant.

IPS
- Scan the network, and if detect a malicious packet, IPS will send alert to access list on firewall, the firewall will directly block that particular packet.

Hacking involve:
1. Reconnaissance – gain general info on target host
2. Scanning
3. Gaining access
4. Maintaining access
5. Covering track


Chepter 6

Email
- 2 part:
- Header
- Body
- Send as text file format.
- Use MIME that allow us to an email that contain image file, attachment file or whatever.
- Non-encrypted because it just a plain text

S/MIME
- Encrypted content
- We can choose whether just want to send the email as plaintext or being encrypted.

Web security
- To secure our web/http
- Use SSL/TLS,SSH,SET

SSH
- Transfer data securely (encrypted)

Security in Network

Step 1: Start your virtual machine containing winserv03_server and winserv03_client.

Step 2: Set the IP address of your winserv03_server and winserv03_client and set them as host
only so they can communicate each other

Step 3: Install Information Services (IIS) with FTP at winserv03_server to enable FTP services

Step 4: installed then open Wireshark on winserv03_server

Step 5: Start FTP services

Step 6: Install IP Security Monitor

Step 7: Configure IPSec on server
1. Click [Start] | [Run] and then type mmc.
2. Management Console will appear and then, on the menu bar click [File] | [Add/Remove snap-in].
3. On the Add/Remove Snap-in box, click [Add] button and select the [IP Security Monitor] and click [OK].
4. Repeat step 3 by selecting IP Security Policy Management on Local Machine and then click [Finish].
5. On the Add/Remove Snap-in, click [OK].
6. In the right pane, right-click on [Secure Server (Require Security)] | [Properties].
7. In the Secure Server (Require Security) Properties dialog box, highlight All IP Traffic and click [Edit].
8. On the Edit Rule Properties dialog box, select the Authentication Method tab. Click add and screen New Authentication Method Properties will appear. Select Use this string (preshared key) and then type MSPRESS in the scroll box, then click OK. Make sure your client preshared key must be same as server preshared key
9. Highlight the Preshared Key and click the [Move up] button to make the preshared key as a first priority for the authentication. Click [Apply] | [OK].
10. Click [OK] on the [Secure Server (Require Security)] Properties dialog box and close it.
11. Right-click on [Secure Server (Require Security)], and click [Assign] from the pop-up menu.



Step 8: Configure on client
1. Click [Start] | [Run] and then type mmc.
2. Management Console will appear and on the menu bar click [File] | [Add/Remove snap-in].
3. On the Add/Remove Snap-in box, click [Add] button and select the [IP Security Monitor] and click [OK].
4. Repeat step 3 by selecting IP Security Policy Management on Local Machine and then click [Finish].
5. On the Add/Remove Snap-in, click [OK].
6. In the right pane, right-click on [Secure Server (Require Security)] | [Properties].
7. In the Client (Response Only) Properties dialog box, highlight and click [Edit].
8. On the Edit Rule Properties dialog box, select the [Authentication Method] tab. Click [add] and screen New Authentication Method Properties will appear. Select Use this string (preshared key) and then type MSPRESS in the scroll box, then click [OK].
9. Highlight the Preshared Key and click the Move up button to make the preshared key as a first priority for the authentication. Click [Apply] | [OK].
10. Click [OK] on the Client (Response Only) Properties dialog box and close it.
11. Right-click on Client (Response Only), and click [Assign].

- Networks as System:
- Single System - Single set of security policies associated with each computing system.
- Each system concerned with:
-Operating system enforces its owns security policies.

- Advantages of Computing Networks:
1. Resource sharing
2. Increased reliability
3. Distributing the workload
4 Expandability

Web scarab

* WebScarab is a web security application testing tool. It serves as a proxy intercepting browser web request and web server replies

Step 1: Install Webgoat browser

Step 2: Install java (*java app. is require to run your webscarab)

Step 3: Install webscarab

Step 4: Run it

Fingerprint authentication

- Basic steps for fingerprint authentication:
¤ Image acquisition
¤ Noise reduction
¤ Image enhancement
¤ Feature extraction
¤ Matching

MODEN CRYPTOGRAPHY

Data Encyption Standard (DES)

ANSWER:

incoming...