Friday, May 28, 2010
Thursday, October 29, 2009
Alhamdulillah...Akhirnya...
Terima Kasih kepada rakan-rakan yang banyak memberi tunjuk ajar dan membantu diri ini..
Terima Kasih yang tak terhingga pada Encik Mohd Zaki Mas'ud iaitu pensyarah subjek ini kerana telah banyak memberikan ilmu yang sangat berguna dan bermanfaat..Halalkan semua ilmu yang telah dicurahkan dan maafkan segala salah dan silap saya...Sekian...Wasalam....
Wednesday, October 28, 2009
Lecture 10 - Legal & Ethical Issues in Computer Security
Therefore, there are three motivations for studying the legal section
to know what protection the law provides for computers and data;
to appreciate laws that protect the rights of others with respect to computers, programs, and data; and
to understand existing laws as a basis for recommending new laws to protect computers, data, and people.
::->There are three common used ways to provide protections by laws:
@Copyright
Copyright gives the author/programmer exclusive right to make copies of the expression and sell them to the public. That is, only the author can sell copies of the author’s book (except, of course, for booksellers or others working as the agents of the author).
< style="font-style: italic;">Copyrights for Computer Works
The algorithm is the idea, and the statements of the programming language are the expression of the idea.
Therefore, protection is allowed for the program statements themselves, but not for the design: copying the code intact is prohibited, but reimplementing the algorithm is permitted.
Examples of Copyrights
A second problem with the copyright protection for computer works is the requirement that the work be published.
A program may be published by distributing copies of its object code, for example on a disk. However, if the source code is not distributed, it has not been published.
An alleged infringer cannot have violated a copyright on source code if the source code was never published.
A copyright controls the right to copy and distribute; it is not clear that allowing distributed access is a form of distribution in distributed system.
@Patent
Patents are unlike copyrights in that they protect inventions, not works of the mind.
The distinction between patents and copyrights is that patents were intended to apply to the results of science, technology, and engineering, whereas copyrights were meant to cover works in the arts, literature, and written scholarship.
The patents law excludes newly discovered laws of nature … [and] mental processes.
Computer Objects
The patent has not encouraged patents of computer software.
For a long time, computer programs were seen as the representation of an algorithm was a fact of nature, which is not subject to patent.
There was a case on a request to patent a process for converting decimal numbers into binary. The Supreme Court rejected the claim, saying it seemed to attempt to patent an abstract idea, in short, an algorithm. But the underlying algorithm is precisely what most software developers would like to protect.
@Trade Secret
A trade secret is information that gives one company a competitive edge over others. For example, the formula for a soft drink is a trade secret, as is a mailing list of customers, or information about a product due to be announced in a few months.
The distinguishing characteristic of a trade secret is that it must always be kept secret. The owner must take precautions to protect the secret, such as storing it in a safe, encrypting it in a computer file, or making employees sign a statement that they will not disclose the secret.
Trade secret protection applies very well to computer software.
The underlying algorithm of a computer program is novel, but its novelty depends on nobody else’s knowing it.
Trade secret protection allows distribution of the result of a secret (the executable program) while still keeping the program design hidden.
Trade secret protection does not cover copying a product (specifically a computer program), so that it cannot protect against a pirate who sells copies of someone else’s program without permission.
However, trade secret protection makes it illegal to steal a secret algorithm and use it in another product.
Rights of Employees and Employers
• Employers hire employees to generate ideas and make products. Thus, the protection offered by copyrights, patents, and trade secrets applies to the idea and products.
• However, considering the issue of who owns the ideas and products is much more complex.
• Ownership is an issue of computer security because it relates to the rights of an employer to protect the secrecy and integrity of works produced by the employees.
Ownership of the Products
• Ownership of a patent - The person who owns a work under patent or copyright law is the inventor.
• Therefore, employee can has the right of the patent.
• However, in a patent law, it is important to know who files the patent. If an employee lets an employer patent an invention, the employer is deemed to own the patent and , therefore, the right to the invention.
• The employer also has the right to patent if the employee’s job functions included inventing the product.
• Ownership of a copyright - Ownership of a copy right is similar to ownership of a patent.
• The author (programmer) is the presumed owner of the work.
• Normally, the owner has all rights to an object.
• However, a special situation known as work for hire applies to many copyrights for development of software or other products.
• Trade secret protection - In the event a trade secret is revealed, the owner can prosecute the revealer for damages suffered.
• But first, ownership must be established because only the owner can be harmed.
• A company owns the trade secrets of its business as confidential data. As soon as a secret is developed, the company becomes the owner.
• Employment contracts - Sometimes there is no contract between the software developer and a possible employer. However, commonly an employment contract will spell out rights of ownership. Having a contract is desirable both for employees and employers so that both will understand their rights and responsibilities.
Why Computer Crime is Hard to Define?
Understanding
*Neither courts, lawyers, police agents, nor jurors necessarily understand computers.
Fingerprints
*Polices and courts for years depended on tangible evidence, such as fingerprints. But with many computer crimes there simply are no fingerprints, no physical clues.
Form of Assets
*We know what cash is, or diamonds, or even negotiable securities. But are 20 invisible magnetic spots really equivalent to a million dollars?
Juveniles
*Many computer crimes involve juveniles. Society understands immaturity and can treat even very serious crimes by juveniles as being done with less understanding than when the same crime is committed by an adult.
Type of Crimes Committed
Telecommunications Fraud
It is defined as avoiding paying telephone charges by misrepresentation as a legitimate user.
Embezzlement
It involves using the computer to steal or divert funds illegally.
Hacking
It denotes a compulsive programmer or user who explores, tests, and pushes computers and communications system to their limits - often illegal activities.
Automatic Teller Machine Fraud
It involves using an ATM machine for a fraudulent activity - faking deposits, erasing withdrawals, diverting funds from another person’s account through stolen PIN numbers.
Records Tampering
It involves the alteration, loss, or destruction of computerised records.
Acts of Disgruntled Employees
They often use a computer for revenge against their employer.
Child Pornography and Abuse
They are illegal or inappropriate arts of a sexual nature committed with a minor or child, such as photographing or videotaping.
Drug Crimes
Drug dealers use computers to communicate anonymously with each other and to keep records of drug deals.
Organised Crime
For all kinds of crime, the computer system may be used as their tools.
Cryptography and the Law
• Cryptography is a regulated activity, but the issues are a little less clear-cut, in part because there is little open discussion of the subject.
• Everybody wants cryptography e.g. business, individual, criminal, bankers, and government.
• France prohibits use of encryption by individuals, asserting that in order to control terrorism, it must have access to communications of suspected terrorists.
What are Ethics?
• Society relies on ethics or morals to prescribe generally accepted standards of proper behaviour.
• An ethic is an objectively defined standard of right and wrong within a group of individuals.
• These ethics may influence by religious believe. Therefore, through choices, each person defines a personal set of ethical practices.
• A set of ethical principles is called and ethical system.
Differences of The Law and Ethics
• Firstly, laws apply to every one, even you do not agree with the laws. However, you are forced to respect and obey the laws.
• Secondly, there is a regular process through the courts for determining which law supersedes which if two laws conflict.
• Thirdly, the laws and the courts identify certain actions as right and others as wrong. From a legal standpoint, anything that is not illegal is right.
• Finally, laws can be enforced, and there are ways to rectify wrongs done by unlawful behaviour.
Ethical Issue in Computer Security
SUMMARY
Laws are formally adopted rules for acceptable behavior in modern society. Ethics are socially acceptable behaviors. The key difference between laws and ethics is that laws carry the sanction of a governing authority and ethics do not.
Organizations formalize desired behaviors in documents called policies. Policies must be read and agreed to before they are binding.
Civil law represents a wide variety of laws that are used to govern a nation or state. Criminal law addresses violations that harm society and are enforced by agents of the state or nation. Tort law is conducted by means of individual lawsuits rather than criminal prosecution by the state.
Private law focuses on individual relationships, public law addresses regulatory agencies.
Deterrence can prevent an illegal or unethical activity from occurring. Deterrence requires significant penalties, a high probability of apprehension, and an expectation of enforcement of penalties.
As part of an effort to encourage positive ethics, a number of professional organizations have established codes of conduct or codes of ethics that their members are expected to follow.
END OF LECTURE 10
Lecture 9 - Intrusion Detection System(IDS)
Intruders
significant issue hostile/unwanted trespass
from benign to serious
user trespass
unauthorized logon, privilege abuse
software trespass
virus, worm, or trojan horse
classes of intruders:
masquerader, misfeasor, clandestine user
Examples of Intrusion
remote root compromise
web server defacement
guessing / cracking passwords
copying viewing sensitive data / databases
running a packet sniffer
distributing pirated software
using an unsecured modem to access net
impersonating a user to reset password
using an unattended workstation
Security Intrusion & Detection
Security Intrusion
a security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.
Intrusion Detection
a security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of attempts to access system resources in an unauthorized manner.
Hackers
The terms hacker and hack are marked by contrasting positive and negative connotations. Computer programmers often use the words hacking and hacker to express admiration for the work of a skilled software developer, but may also use them in a negative sense to describe the production of inelegant kludges. Some frown upon using hacking as a synonym for security cracking -- in distinct contrast to the larger world, in which the word hacker is typically used to describe someone who "hacks into" a system by evading or disabling security measures.
Hacker Behavior Example
1. select target using IP lookup tools
2. map network for accessible services
3. identify potentially vulnerable services
4. brute force (guess) passwords
5. install remote administration tool
6. wait for admin to log on and capture
password
7. use password to access remainder of
network
Criminal
• organized groups of hackers now a threat
– corporation / government / loosely affiliated gangs
– typically young
– often Eastern European or Russian hackers
– common target credit cards on e-commerce server
• criminal hackers usually have specific targets
• once penetrated act quickly and get out
• IDS / IPS help but less effective
• sensitive data needs strong protection
Criminal
1. act quickly and precisely to make their
activities harder to detect
2. exploit perimeter via vulnerable ports
3. use trojan horses (hidden software) to
leave back doors for re-entry
4. use sniffers to capture passwords
5. do not stick around until noticed
6. make few or no mistakes.
What is hacking?
Hacking is unauthorized use of computer and network resources. (The term "hacker" originally meant a very gifted programmer. In recent years though, with easier access to multiple systems, it now has negative implications.)
Hacking is a felony in the
Intrusion Detection Systems
An Intrusion detection system (IDS) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling computer systems, mainly through a network, such as the Internet. These attempts may take the form of attacks, as examples, by crackers, malware and/or disgruntled employees. An IDS cannot directly detect attacks within properly encrypted traffic.
An intrusion detection system is used to detect several types of malicious behaviors that can compromise the security and trust of a computer system. This includes network attacks against vulnerable services, data driven attacks on applications, host based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (viruses, trojan horses, and worms).
An IDS can be composed of several components: Sensors which generate security events, a Console to monitor events and alerts and control the sensors, and a central Engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received. There are several ways to categorize an IDS depending on the type and location of the sensors and the methodology used by the engine to generate alerts. In many simple IDS implementations all three components are combined in a single device or appliance.
IDS Terminology
Alert/Alarm- A signal suggesting a system has been or is being attacked.
True attack stimulus- An event that triggers an IDS to produce an alarm and react as though a real attack were in progress.
False attack stimulus- The event signaling an IDS to produce an alarm when no attack has taken place.
False (False Positive)- An alert or alarm that is triggered when no actual attack has taken place.
False negative- A failure of an IDS to detect an actual attack.
Noise- Data or interference that can trigger a false positive.
Site policy- Guidelines within an organization that control the rules and configurations of an IDS.
Site policy awareness- The ability an IDS has to dynamically change its rules and configurations in response to changing environmental activity.
Confidence value- A value an organization places on an IDS based on past performance and analysis to help determine its ability to effectively identify an attack.
Alarm filtering- The process of categorizing attack alerts produced from an IDS in order to distinguish false positives from actual attacks.
Types of Intrusion-Detection systems
Network intrusion detection system (NIDS)
It is an independent platform which identifies intrusions by examining network traffic and monitors multiple hosts. Network Intrusion Detection Systems gain access to network traffic by connecting to a hub, network switch configured for port mirroring, or network tap. An example of a NIDS is Snort.
Protocol-based intrusion detection system (PIDS)
It consists of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication protocol between a connected device (a user/PC or system) and the server. For a web server this would typically monitor the HTTPS protocol stream and understand the HTTP protocol relative to the web server/system it is trying to protect. Where HTTPS is in use then this system would need to reside in the "shim", or interface, between where HTTPS is un-encrypted and immediately prior to its entering the Web presentation layer.
Application protocol-based intrusion detection system (APIDS)
It consists of a system or agent that would typically sit within a group of servers, monitoring and analyzing the communication on application specific protocols. For example, in a web server with a database this would monitor the SQL protocol specific to the middleware/business logic as it transacts with the database.
Host-based intrusion detection system (HIDS)
It consists of an agent on a host which identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability/acl databases) and other host activities and state. An example of a HIDS is OSSEC.
Hybrid intrusion detection system
It combines two or more approaches. Host agent data is combined with network information to form a comprehensive view of the network. An example of a Hybrid IDS is Prelude. Intrusion detection systems can also be system-specific using custom tools and honeypots.
IDS Principles
assume intruder behavior differs from
legitimate users
– expect overlap as shown
– observe deviations
from past history
– problems of:
• false positives
• false negatives
• must compromise
Distributed Host-Based IDS
NIDS Sensor Deployment
Passive system vs. reactive system
In a passive system, the intrusion detection system (IDS) sensor detects a potential security breach, logs the information and signals an alert on the console and or owner. In a reactive system, also known as an intrusion prevention system (IPS), the IPS responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. This can happen automatically or at the command of an operator. Though they both relate to network security, an intrusion detection system (IDS) differs from a firewall in that a firewall looks outwardly for intrusions in order to stop them from happening. Firewalls limit access between networks to prevent intrusion and do not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. An IDS also watches for attacks that originate from within a system. This is traditionally achieved by examining network communications, identifying heuristics and patterns (often known as signatures) of common computer attacks, and taking action to alert operators. A system which terminates connections is called an intrusion prevention system, and is another form of an application layer firewall. The term IDPS is commonly used to refer to hybrid security systems that both "detect" and "prevent".
Statistical anomaly and signature based IDSes
All Intrusion Detection Systems use one of two detection techniques: statistical anomaly based and/or signature based.
Statistical anomaly based IDS- A statistical anomaly based IDS establishes a performance baseline based on normal network traffic evaluations. It will then sample current network traffic activity to this baseline in order to detect whether or not it is within baseline parameters. If the sampled traffic is outside baseline parameters an alarm will be triggered.
Signature based IDS- Network traffic is examined for preconfigured and predetermined attack patterns known as signatures. Many attacks today have distinct signatures. In good security practice, a collection of these signatures must be constantly updated to mitigate emerging threats.
Distributed Adaptive Intrusion Detection
Intrusion Detection Exchange Format
Honeypots
In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated, (un)protected, and monitored, and which seems to contain information or a resource of value to attackers.
Honeypot Deployment
SNORT
• lightweight IDS
– real-time packet capture and rule analysis
– passive or inline
SNORT Rules
• use a simple, flexible rule definition language
• with fixed header and zero or more options
• header includes: action, protocol, source IP, source
port, direction, dest IP, dest port
• many options
• example rule to detect TCP SYN-FIN attack:
Alert tcp $EXTERNAL_NET any -> $HOME_NET any \
(msg: "SCAN SYN FIN"; flags: SF, 12; \
reference: arachnids, 198; classtype: attempted-recon;)
Reference
William Stallings & Lawrie Brown. Computer
Security: Principles and Practice 1/e. Pearson.
2008.
END OF LECTURE 9