information security -...

Linneaus-Palme Project

Information Security

Avinanta TariganGunadarma University

Indonesia

[email protected]://ps-sekuriti.gunadarma.ac.id

mailto:[email protected]


Indonesia


Gunadarma University

● One of five largest private University in Indonesia

● Approx 30.000 students, 1000 lectures● Bachelor, Master, Doctoral programs● 8 Faculties, 20 Departments, Mostly awarded

“A” by Government Accreditation Board● 12 Campus Locations across Jakarta● Top 5 Webomatriks Rank, 4ICU, in Indonesia


MySelf

● 1997 – Bachelor (Hons) in Computer Science, Gunadarma University

● 2007 – PhD in Computer Science, University of Bielefeld, Germany

● Since 1995 has been involved in ICT related project and research– Developed Certification Authority System for

Indonesian Telecom– Conducted security audit on several government

agencies and companies


Information Security-Why do we need one ?


Why do we need one ?

● Information becomes capital, has economic value lots of interests→

● Beyond physical security● “Misuse” of Internet and its Applications

– TCP/IP was never designed to be secure protocol– More applications are developed on top of Internet– More devices are connected to Internet

● User's awareness of Information Security is still low


Basics


Basics

● The state of the system in the information security context :– Secure – Insecure– Path Leads to Insecure States

● Yellow path is caused by Vulnerability in the System

● Vulnerability /\ Attack → Security Violation● An Exploit is attack technique for particular

vulnerability


So What is Information Security ?

● The objective of information security is : to keep the system always in green state and keeping yellow and red states unreachable.

● Security engineering is about building systems to remain dependable in the face of malice, error and mischance. As a discipline, it focuses on the tools, processes and methods needed to design, implement and test complete systems, and to adapt existing systems as their environment evolves (Ross Anderson)


Security Policy

● Basically, a security policy defines all secure states, insecure states, and security violation states of a system in organization, company, or even in country.

● It also defines procedures in order to reach security objectives

● Derived from Security Requirements after assessing Security Risk of all asset and possible threats.


The whole concept in a Diagram


The System

● A system can be:– a product or component (PC, smartcard,…)– some products plus O/S, comms and infrastructure– the above plus applications– the above plus internal staff– the above plus customers / external users– the above plus third party– the above plus government policy

● Common failing: policy drawn too narrowly


The System … (continued)

● Example :– X Bank defines their system as network, PCs,

servers, applications, databases, located and installed in their building

– Y Bank defines their system not only their servers etc, but also the network and PCs of their customers used to access Internet Banking service.

● Tell me what you think !● Give me another example


The System … (continued)

● “Security is chain of trust. It is only as strong as its weakest link” (Bruce Schneier)

● A chain represents any element of the system● Attacker only needs to find vulnerability and

corresponding exploit of weakest chain, and security breaks.

● Adding elements in the system : the security is becoming more complex since there are more chains


Attack

● Dimension of Attack :– Physical Attack : laptop – flash-disc - hard-disk theft,

cut the electrical supply, anti-tamper-proof– Syntatic Attack : buffer overflow, SQL injection, API

attack, etc– Semantic Attack : social engineering, site phising,

Nigerian Scam

Target of attack is not only limited to computer system.


Attack (continued)

– Passive Attack: ● Packet Sniffing, Spying, Statistical Analysis● Relative difficult to detect

– Active Attack:● Man-In-The-Middle● Packet Spoofing● Packet Flooding, Denial of Service (DoS)● Reply Attack


Attack (continued)


Vulnerability

● Computer system behavior are determined by :– Algorithms – User Command

● A flaw / Bug in algorithm and user input/command can lead to vulnerability

● The most common vulnerability :– SQL Injection– Buffer Overflow– OS Command Injection– Cross-site scripting– etc


Attack (continued)

● XSS (Cross Side Scripting)● Enables attacker to execute

malicious code on behalf of trusted principle

● Example :● Session Hijacking● Automatic Friend Addition in

MySpace


Vulnerability

● Computer System Failure - Related to Safety :– Ariane V explosion :

● The internal SRI software exception was caused during execution of a data conversion from 64-bit floating point to 16-bit signed integer value. The floating point number which was converted had a value greater than what could be represented by a 16-bit signed integer. This resulted in an Operand Error.

– Airbus A320 Mullhouse● The designed fly-by-wire logic determined that in that

particular situation, alpha-floor protection should be sufficiently preserved, thus did not respond to pilot's command to increase power of the engines.


Vulnerability● Most of EDC Terminals has

Anti-Tampering-Mechanism to protect secret information used to send data to/from bank host

● Flaw in the hardware design enables attacker to collect sensitive information using driller, a paper clip to get into serial connector and a sniffing device

● Works only in Laboratory ?

● No. July 2008 – 'new' terminals found to be sending card and PIN data to Karachi


Vulnerability

● EMV deployed all over the world● Liability shift disputes charged →

to cardholder if pin used, else to merchant

● Flaw in the protocol between card and reader

● A stolen card connected with computing device enables attacker to accomplish transaction using any PIN


Vulnerability

● Flaw in API Hardware Security Module– HSM is crypto-machine used in electronic financial

transactions (ATM, EMV), and store the master key that never get out from the device

– Attacker who has access to the HSM, using computing device, can learn the key in 2 days

● Flaw in Cryptographic Protocol– Needham Schroeder & Earliest SSL

● And many more ...


Vulnerability

● Attacker creates an additional panel with skimming device, to be put on top of ATM panel

● It sniffs magnetic card data and the PIN

● Attacker makes a fake card and uses retrieved PIN to steal money


Vulnerability

● Using toothpick and hair-lotion to make the inserted card stuck in the card reader

● Call-center information is manipulated, customer calls the fake call-center, ending up giving the PIN

● Attacker recovered the card and use it to withdraw customer money from the ATM


Terminology

● A subject is a physical person● A person can also be a legal person (firm)● A principal can be

– a person– equipment (PC, smartcard)– a role (the officer of the watch)– a complex role (Alice or Bob, Bob deputising for Alice)

● The level of precision is variable – sometimes you need to distinguish ‘Bob’s smartcard representing Bob who’s standing in for Alice’ from ‘Bob using Alice’s card in her absence’. Sometimes you don’t


Terminology

● Secrecy is a technical term – mechanisms limiting the number of principals who can access information

● Privacy means control of your own secrets● Confidentiality is an obligation to protect

someone else’s secrets● Thus your medical privacy is protected by your

doctors’ obligation of confidentiality


Terminology

● Anonymity is about restricting access to metadata. It has various flavours, from not being able to identify subjects to not being able to link their actions

● An object’s integrity lies in its not having been altered since the last authorised modification

● Authenticity has two common meanings – – an object has integrity plus freshness– you’re speaking to the right principal


Terminology

● Trust is the hard one! It has several meanings:

– a warm fuzzy feeling– a trusted system or component is one that can break the

security policy– a trusted system is one I can insure– a trusted system won’t get me fired when it breaks

● We use number 2 above – by default. e.g. an NSA man selling key material to the Russian is trusted but not trustworthy (assuming his action unauthorised) (Anderson, 2004)


Terminology

● And the not least important is :

Accountability● The capability of a system to preserve

information about any change of system state by means of :

Who , What , When , Whom

information security -...

Documents