Computer Security is a hot issue these days. The popular press is full of articles about security matters, and corporations and government agencies are devoting much more time, energy and money to security issues than they did just a few years ago.

It is important to keep in mind that the vast majority of security problems are not technical, but social/interpersonal. Most breakins result not from a skilled hacker decrypting a password file or discovering a new software bug, but from events like someone calling the help desk claiming to be an employee who has forgotten his password, and having the help desk give out or reset the password for this person.

Many security holes of a technical nature can be attributed to software bloat; every time a new feature is added to the operating system, it introduces new opportunities for security holes. For example, when email was just used for ascii text, it could not be used to transmit viruses. When it became possible to email executable files; and mail clients would automatically execute such files, this became a wildly popular way for jerks to commit all kinds of havoc.

User Authentication

The first step in any kind of security system is authentication, i.e. determining that users are who they say they are. Authentication systems are based on
- Something the user knows, e.g. a password
- Something the user has, e.g. a key
- Something the user is, e.g. biorecognition systems

The most common authentication method is authentication with passwords. Most users, when left to their own devices, choose common words or names. This makes sense because it's easy to remember. However, this also leads to an obvious security breach; a malicious user can try all of the words in an online dictionary until he gets a hit. As a result, most systems now require that a user's password contain at least one non-alpha character.

In the old days, the password system on Unix systems was public. Anyone, even the bad guys, could read it. This was OK because the actual password was encrypted with a one-way encryption scheme. This meant that there was no way to figure out the plaintext password from the encrypted password. However, as computers became faster, it was feasible to get hold of the password file on a system, and run all of the words in a dictionary through the encryption scheme and see if there were matches with the encrypted passwords. Password files on modern systems are now generally private, which makes it more difficult to do this.

Before encrypting a user's password, Unix adds an extra 12 bits, called salt. Whenever users change their password, the salt is recalculated and this is stored as a part of their account information. The salt serves two purposes. First, it makes brute force methods more difficult, because not only do you need to search all of the the words in the dictionary, but you need to consider all words in combination with all 2¹² possible values of the salt.

Second, it makes it highly unlikely that two people who choose the same password would also have the same encrypted password. If the salt was not added, and Alice was able to read the password file, and some other user had chosen the same password as Alice, then Alice could see that some other user had the same encrypted password as she did, so she could log in as that user.

There is a Unix system call crypt, with this prototype.

char *crypt(const char *key, const char *salt);

This takes a password and a salt as arguments, and returns the encrypted version of the password, which is the value stored in the password file. The text points out that this is not technically an encryption algorithm, , because it is not possible to decrypt the value in the password file to get the original password and salt (even brute force doesn't work), but everyone calls this encryption anyway.

Modern systems usually allow only a limited number of login attempts (often three) before blocking that account. This effectively foils someone trying to guess a password.

Password systems are still vulnerable. Shoulder surfing, i.e. looking over someone's shoulder as they type their password, is hard to prevent. Network sniffing is commonplace; it is relatively easy for someone to read all of the traffic on a LAN. Utilities like telnet and ftp require a user to type their password and send it over the network, and so a network sniffer could get passwords in this way. This is why telnet and ftp have been replaced on most systems by the more cumbersome ssh (secure shell) and scp (secure copy). Both of these encrypt passwords before sending them over the network. More on these below.

Human failure is still the largest source of stolen passwords. Users often write their password on a piece of paper (or even on a post-it which they put on their monitor), or they share their password with a friend.

Some systems require that users periodically change their password as an additional security precaution. This is controversial because forcing users to change their passwords once a month (or whatever) encourages them to write down their password, which is a larger potential loophole.

Some systems are beginning to require higher levels of security. One system that I am familiar with issues each employee a gizmo called an authenticator. This displays a six digit random number which changes every few minutes. This gizmo is synchronized with the authentication server on the computer network. In order for an employee to be allowed to log in, they need to enter not only their password, but also the number currently showing on the gizmo.

One of the cutting edge authentication mechanisms now is using biometrics for authentication. This includes hand prints, retinal scans or voice prints. Currently these are still too expensive and too unreliable for routine use.

Privileges and access levels

The DOS operating system had no security or protection mechanisms. There was no concept of logging in or other kind of authentication, and any users with access to the computer could do anything that they wanted, including modifying or deleting any files. Most modern computer systems have protection mechanisms in place to prevent this. In such systems, each object (i.e. files, devices such as printers), has associated with it a list of privileges, i.e. a list of who can do what with it.

The classical Unix file permissions are a typical example. Each file has an owner, and a group associated with it. There are a number of permission bits associated with each file. Each one, when set, gives privileges to an individual or a group. There are three types of permission, read, write, and execute, associated with three categories of users, the owner, the group, and anyone. Thus there are nine permission bits associated with each file resulting from the three levels of permission for the three categories of users. The ls -l command displays these bits like this

drwxr-xr-x   foo
-rw-------   bar
-rw-rw-r--   myfile.c
-rwxr-x---   a.out

The file bar is a regular file, indicated by a - in the first column. The owner has read and write privileges for bar, no one else has any privileges. The file myfile.c can be read and written by the owner or the group, and anyone can read it. Note that read privileges include copying privileges. The file a.out can be read and written by the owner, read and executed by the group, but others cannot read or execute it.

Operating systems with such protection mechanisms need to allow one or more users to override all privileges. This is important so that a system administrator can kill rogue processes, delete illegal files and so on. This account is called root on Unix systems. It is a common occurence that a process which is executable by anyone needs to access privileged information. For example, consider a computer game which maintains a file of the high scores. The file should be world readable, but you certainly don't want just anyone to be able to write to it. The solution is that some executable processes allow a process to "run as root", i.e. one of the permission flags is called the set-user-ID flag, and when it runs, rather than having the privileges associated with the user who is running the process, which is usually the case, it acquires the privileges of the owner, often root. Any shell command which requires reading or writing kernel data structures has this feature.

Needless to say, this is potentially a major security loophole if a process is running as root and the user is able to modify it so that it can do nefarious things.

Recall that on RCS and other file systems that are running AFS, the Unix permission bits are ignored. AFS has a more sophisticated permission system in which each file has an access control list (ACL). Unix has a three by three matrix of permissions, with three types of permission and three categories of users. AFS has more types of permissions, and allows the owner of a file or directory to confer or remove privileges to other individual users. Privileges are allocated on a directory basis, not an individual file basis. There are four types of privileges for directories, lookup, insert, delete, and administer. There are three types of privileges for files within a directory, read, write, and lock.

Whenever a process attempts to access a resource (file, printer, or whatever), the operating system checks the access control list for that object to make sure that the user has the correct privileges.

An alternative to an ACL is to associate a Capability List with each user. This is a list of privileges for that user. In general, capabilities lists are larger, harder to administer, and more susceptible to tampering, so they are seldom used.

Some common security breaches

Once a hacker has logged on to a computer or computer system, he can do a number of things. (I can use the politically incorrect he here because virtually all hackers seem to be male. Hacking behavior is apparently either triggered by testosterone or suppressed by estrogen)

The term Trojan Horse refers to a seemingly innocent piece of code that does something malicious. Now that you know how to write the ls command, if you are able to break into a computer, you can replace the ls executable in /bin with your own version, which looks just like the real thing, but does something else as well.

A classic Trojan Horse, that does not even involve special privileges, works like this. Write a program that looks exactly like the login screen of the computer system. Run this program on one of the public computers and go away. An unsuspecting user will sit down at this computer and try to log in, entering his or her user id and password. Your program would collect this information, display a bad password error, and then quit, thus displaying the real login screen. The user thinks that he or she just mistyped the password, tries again, gets in, and doesn't know that anything unusual had happened, but you have been able to capture that user's password, thus allowing you to log in as that user. Microsoft Operating Systems prevent this by requiring the user to type cntl-alt-del before getting the login screen.

Your text describes a number of other Trojan Horses that I will not reiterate here.

Other types of attacks

The C library function gets(char *s) is a classic security loophole (and in fact the man page for it strongly recommends that you use fgets instead). Note that gets does not specify the size of the buffer s. Many early processes which listened for external connections used gets to read from the connection. For example, a telnet program might prompt the user to enter a password, and because passwords are small, the program might only allocate a buffer of size 16. If the buffer size was not large enough, the outside user could send a string which was longer than the buffer, and this would then overflow into some other part of the process memory space. The clever user could then modify the run time stack so that the server process would do something other than what it was supposed to, like read the password file or install a trojan horse. This can be done by modifying the return address in the stack if the user happened to know exactly where the return address was. Since most such servers run with root privileges, this could do a good deal of damage. The famous Internet worm of a few years ago used this loophole among others.

More recently, the Code Red virus used a similar flaw in a Windows dll. According to the National Infrastructure Protection Center:

The Ida Code Red Worm, which was first reported by eEye Digital Security, is taking advantage of known vulnerabilities in the Microsoft IIS Internet Server Application Program Interface (ISAPI) service. Un-patched systems are susceptible to a "buffer overflow" in the Idq.dll, which permits the attacker to run embedded code on the affected system. This memory resident worm, once active on a system, first attempts to spread itself by creating a sequence of random IP addresses to infect unprotected web servers. Each worm thread will then inspect the infected computer's time clock. The NIPC has determined that the trigger time for the DOS execution of the Ida Code Red Worm is at 0:00 hours, GMT on July 20, 2001. This is 8:00 PM, EST.

Viruses

A virus is a set of executable statements that attaches itself to another executable file or replaces it completely. These can potentially insert themselves into any other executable code, including kernel code such as interrupt vectors or even the boot sector. In this sense they are similar to biological viruses, which are unable to exist independently but are able to implant themselves in the genome of cells of other organisms

A variant of this is the macro virus. Many applications, such as spreadsheets, allow the user to write a macro, which is a script consisting of a number of keystrokes or commands, which can then be executed as a single command. These macros are very powerful, and in some cases can run Visual Basic programs. Thus the bad guy can embed such a virus in a spreadsheet or word document and email it to people. The unsuspecting user opens it, triggering the virus.

There are a number of ways to spread viruses. They can be embedded in executable programs on a website or just emailed to people. Anyone that runs the program then gets infected. Because a virus can do anything, one popular thing that they do now is to locate the user's email addressbook and send itself to everyone (or selected people) in the address book.

As viruses become more sophisticated, Virus detection software is also becoming more sophisticated. The typical commercial virus detection program looks for specific known viruses on your system by searching the files looking for known virus signatures. This method has two limitations. First, it cannot detect a brand new virus. Second, virus developers have begun to design small variability into their code so that they no longer have a specific signature.

Another very different form of virus detection involves periodically scanning all of the executable files on a system and noting their size, or even calculating some sort of check sum, hash number, or digital fingerprint for each one. If a later run discovers a different value for the same file, it means that the file has been modified and thus might contain a virus.

Protecting against security violations

There are a number of tools which system administrators can use to detect and prevent outside attacks. For example, there is a freely downloadable program called SATAN (System Administrator's Tool for Analyzing Networks) which a system administrator can run to detect a large number of known security holes on Unix systems, including the following:

• easy to guess passwords
• unauthorized setuid programs
• unauthorized progs in system directories
• unexpected long running processes.
• inproper directory protections
• improper protections on password files, device drivers, etc
• dangerous entries in the program search path
• changes to system programs detected with checksum values
• NFS file systems exported to unprivileged programs

Firewalls have become an almost universal protection tool. A firewall is a process, or often a separate computer, that sits between the world and a network (or between two networks) and it only lets certain types of packets pass in and out. A firewall is configurable on a port basis so that you can exclude packets coming to particular ports. There are two basic schemes, they can contain a list of the types of packets they will accept and reject all others, or they can contain a list of the types of packets they will reject and accept all others. Configuring a firewall is a constant tradeoff between the ease of getting work done vs. the risk of an intrusion.

Firewalls offer good protection against one common sort of intrusion, port scanning The bad guy will run a program that systematically tests all of the ports on your system to see which ones accept connections, and whenever they find such a port, they try to intrude through that port.

Here is a link to a good website about firewalls

Orange Book Security

The Department of Defense is interested in computer security, and they have developed a set of security standards for computer systems called the Orange book. The Orange Book has seven layers of security.

• Level D - no security at all. (MS-DOS, Windows 95/98/Me)
• Level C1 - cooperating users
  
  • protected mode kernel
  • authenticated user login
  • discretionary access control (owner of an object decides what privileges to give it)
  Many Unix systems, particularly early ones fit into this category.
• Level C2
  • objects must be given minimal access until changed by the owner
  • minimal auditing
  • objects (files, memory, etc) must be set to all zeros before being allocated to users.
  The CS Dept system does not meet this criterion because when a new user account is created, his or her home directory is public by default. Many students in this course may have gotten in trouble if they kept their assignments in their home directory.

  Historically, when a C or C++ program used malloc or new to get new memory, this memory was not zeroed out; it simply retained the contents that were already there. This could potentially lead to security problems since an evil or curious user could read this memory. Usually it would contain garbage, but occasionally it might contain interesting text. Level C2 forbids this.

• Level B require all controlled users and objects to be assigned a security label, such as unclassified, secret, or top secret. Each user has a security clearance. It requires mandatory access control for all objects and subjects
• Level A requires a formal model of the protection system, proof that the model is correct, and a demonstration that the implementation conforms to the model. The system has to have a verifiable security design.

ssh and its relatives

Two of the most widely used application layer protocols on the Internet used to be telnet which allowed a user to remotely log into a computer, and ftp, the file transfer protocol, which allowed a user to download files. Both of these are now generally considered to be obsolete because they required the user to enter a password which was sent over the network unencrypted, and this was a major security loophole.

telnet and similar programs such as rlogin (remote login) and rsh (remote shell) have been replaced by ssh, the secure shell, which most of you have been using all semester. This protocol requires that all communication, including passwords, be encrypted. In some ways it is similar to PGP, discussed in the previous lesson.

There is an ssh client and server as you would expect. Here is a typical set of steps that ssh goes through in establishing a connection using the SSH1 protocol.

• The client contacts the server. The ssh server typically runs on port 22.
• The client and server exchange information about the protocols that they support. This information is in plain text. They agree on an encrytion method.
• The server sends the client a host key. The client compares this host key to its database. If it has connected with this server before and if the host key is the same, it accepts the connection. Otherwise it asks the user whether to continue or not.
• The server sends the client its public key for RSA encyrption
• The client generates a random session key, encrypts it with the server public key, encrypts it again with the host key, and sends it to the server.
• The server decrypts the session key. This is used to encrypt and decrypt all further communication, using a method such as IDEA. Note that even if the bad guy had been able to read all of this communication through network sniffing, he would be unable to read the session key.
• The server prompts the client for a login name and password. These are encrypted by the client using the session key, and sent to the server.
• Once authentication has been established, all other communication both ways is encrypted using the session key, which is known by the client and the server, but not to the bad guys

The standard for secure communication for the World Wide Web is the Secure Socket Layer (SSL), developed by Netscape. This protocol provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. SSL is built into all the major browsers and web servers.

In order to activate SSL, a server has to obtain a digital certificate. This is obtained from a trusted Certificate Authority (CA). There are a number of such authorities such as VeriSign. Applicants for certificates have to provide extensive documentation to the CA confirming that they are who they say they are. This prevents a malicious web site from pretending to be a vendor such as Amazon in order to get credit card numbers or other information.

When a client (browser) connects to a server, before any information is exchanged, the server sends an authentication packet, containing a time stamp, the digital certificate, and other information, all encrypted with their private key. The client decrypts the packet with the server's public key, obtained from the CA, and confirms that the information is correct.

Often a client may also have a digital certificate. This allows a server to confirm that clients are who they say they are.

Once each side has authenticated the other side, they agree on an encyrption method, and a session key (exchanged encrypted), and begin communicating. All subsequent communication is encrypted.

Other types of security problems

Even the most secure operating systems are vulnerable with certain types of new technology. It is possible for a person to be sitting in a car outside your home or office and with a device that picks up the electomagnetic signals from your monitor. Certain types of (very expensive) equipment can decipher these signals to reconstruct everything that is on your screen. The Federal Government has a program called temptest to develop defenses against this. Here is a website about Tempest if you wish to learn more about it.

Your text describes a technique called steganography in which a secret message is encoded in an ordinary image. An image which is stored as a matrix of pixel data generally stores the data at a higher resolution than the human eye can detect. Steganography stores the message by overwriting the least significant bit of each pixel. If the red value of a particular pixel is supposed to be 100, but it is 99 instead, no human can detect the difference. A color image has three bytes for each pixel, one each for the red, green, and blue values, so a 1024 by 768 image can contain a secret message of up to 2.3M bits.

Security and Authentication on Windows 2000

Windows 2000 provides a uniform access control facility that applies to processes, threads, files, semaphores, and other objects. Access control is governed by two entities, an access token assocated with each process and a security descriptor associated with each object.

Users are authenticated with a typical password system. The login process creates an access token. This token is inherited by any processes which are created by this initial process. The access token contains the following information.

• A Security ID (SID) - unique for each user
• Group SIDs - a list of groups to which this user belongs
• A list of security related privileges. These are set by the system administrator for each user. A typical user has no privileges
• A default ACL - an initial list of protections applied to objects that the user creates

Return to the course home page