Thursday, October 29, 2009

Lecture 10 : Cyberlaws

Cyberlaw is a term that encapsulates the legal issues related to use of communicative, transactional, and distributive aspects of networked information devices and technologies.
Malaysia has a vision towards a knowledge-based society and economy where ICT serves as a driver for restructuring of economy and employment.
Prerequisites include access to infrastructure and development of information, knowledge and applications.
Crime is hard to define
Crime is hard to define due to the slow but constant creating and changing laws, as well as many roles can a computer do in a crime.
Computer crime is hard to prosecute due to:
• Lack of understanding
• Lack of physical evidence
• Lack of recognition of assets
• Lack of political impact
• Complexity of case
• Juveniles
The organization who governs the cyberlaw is the Malaysian Communications and Multimedia Commission (Suruhanjaya Komunikasi dan Multimedia Malaysia).
Certification authorities that are licensed in Malaysia are Digicert and MSC Trustgate.
The Malaysian cyberlaws include:
Digital Signature Act 1997 – regulation of the public key infrastructure, PKI.
Copyright (Amendment) Act 1997 – protection of the expression of thoughts and ideas from unauthorized copying and/or alteration
Telemedicine Act 1997 – regulation of the practice of teleconsultations in the medical profession.
Computer Crimes Act 1997 - to ensure that misuse of computers is an offense.
Communications and Multimedia Act 1998 - defines the roles and responsibilities of those providing communication and multimedia services

It is difficult to accept the existence of the internet and electronic transactions.
There are three aspects that are related to trust, confidence and acceptability : -
Trust and confidence from protection of confidentiality and privacy given to personal data
Trust and confidence from security of electronic transactions
Acceptability of the internet from efforts to optimize positive use of internet and minimize negative impacts

Lecture 9 : The Legal and Ethical Issues in Somputer Security

A law is a rule of conduct or action prescribed or formally recognized as binding or enforced by a controlling authority. Categories of law include
• Civil law
• Criminal law
• Tort law
• Private law
• Public law
Ethics is a set of moral principles or values or principles of conduct governing an individual or group.
The key difference between laws and ethics is that laws carry sanctions of a governing authority and ethics do not. Ethics in turn are based on cultural mores: the fixed moral attitudes or customs of a particular group.
Law Ethics
 Formal, documented
 Interpreted by courts
 Established by legislature representing everyone
 Applicable to everyone
 Priority determined by courts if two laws conflict
 Enforceable by police and courts
 Described by unwritten principles
 Interpreted by individuals
 Presented by philosophers, religions, professional group
 Personal choice
 Priority determined by individual if two principles conflict

Different cultures may have different ethics. Ethical differences may include:
• The consideration of ethics in the use of computers
• Nationalities behavior conflicts with the ethics of another national group
There is an understanding towards software license infringement, but individuals felt that their use of software is not piracy, or the society permitted piracy in some way.
Lack of disincentives and punitive measures explains this unobliviousness of the intellectual property laws.
Unilateral studies condemned viruses, hacking and other illicit activities as an unacceptable behavior.
Low degree of tolerance for illicit system may be a function of the easy association between common crimes.
Individuals may have the possibility of misusing corporate resources.
Differences in computer ethics are not exclusively international, but are found among individuals within the same social circle.
IT personnels have the responsibilities of deterring unethical acts and to use policy, education, training, and technology to protect information systems.
Three general categories of unethical and illegal behavior are:
• Ignorance
• Accident
• Intent
The current best method for preventing an illegal/unethical activity is deterrence.
Copyrights are designed to protect the expression of ideas, which applies to creative and original work. Patent applies to the result of science, technology and engineering which protects new and useful device or process for carrying out an idea.
The owner of originality must keep trade secrets by any means. However, its protection can be simply broken through reverse engineering.
Open source software can be affected by copyright protection through:
• Controlling the right to copy the software
• Controlling the right to distribute the software
• Subject to fair use
• Ease of filing
• Sue if copy sold
• Ownership of copyright
Information is treated as an object which is considered:
• Not depletable
• Can be replicated
• Minimal margin cost
• Value is timely
• Often intangibly transferred
Legal issues related to information include:
• Information commerce
Problem – how to ensure software developer/publisher receives just compensation for software usage?
Solution – copy protection, freeware, controlled distribution.
• Electronic publishing
Problem – assurance that publisher receives fair compensation for work
Solution – cryptographic-based technical solutions
• Electronic commerce
Problem – how to prove conditions of delivery
Solution - Digital signatures and other cryptographic protocols
Rights of employees and employers include
• Ownership of a patent
• Ownership of a copyright
• Work for hire
• Licenses
• Trade secret protection
• Employment contracts
We should all know that computer crimes are hard to prosecute due to:
 low computer literacy (lack of understanding)
 no physical clues (lack of physical evidence)
 intangible forms of assets
 considered as juvenile crime
 Lack of political impact
To examine ethical issues, we must
1. Understand the situation. Determine the issues involved.
2. Know several theories of ethical reasoning
3. List the ethical principles involved
4. Determine which principles outweigh others.

Lab 8 : Wireless Security

In this lab session, we were introduced to the methods of hacking wireless networks. The weakest of the encrypted wireless networks is the Wireless Equivalence Privacy (WEP).
Wired Equivalent Privacy (WEP) is a deprecated algorithm to secure IEEE 802.11 wireless networks. Wireless networks broadcast messages using radio and are thus more susceptible to eavesdropping than wired networks. When introduced in 1997,[1] WEP was intended to provide confidentiality comparable to that of a traditional wired network.

In this lab session, we have used a Backtrack version 2 to crack a router's passphrase which is set up with a 64-bit encryption. For my own, I've used a Backtrack version 3 because previously I was exploring on how to hack WEP networks myself.

For the information of you readers out there, Backtrack is a Linux distribution designed to do penetration tests.

Tools included that are necessary for our lab session are:
Kismet - a wireless network detector and packet sniffer
airmon - a tool that can help you set your wireless adapter into monitor mode(rfmon)
airodump - a tool for capturing packets from a wireless router(otherwise known asan AP)
aireplay - a tool for forging ARP requests
aircrack - a tool for decrypting WEP keys
iwconfig - a tool for configuring wireless adapters. You can use this to ensure that your wireless adapter is in "monitor" mode which is essential to sending fake ARP requests to the target router
macchanger - a tool to view and/or spoof MAC address

We firstly used Kismet to monirot wirelss traffic.
Data is collected with Airodump to collect ARP replies from the target AP.
The third step is to associate the wireless card with the AP by using aireplay.
The fourth step is to start injecting packets with aireplay.
Lastly, we decrypt the WEP key using Aircrack.

Lecture 8 : Wireless Security

Wireless Security is covered in this lecture session. The components of 802.11 or also known as Wi-Fi are wireless station and access point. The Wi-Fi focuses on Layer 1 and 2 in the OSI model. It has two modes namely infrastructure and ad-hoc mode.
RTS/CTS (Request to Send / Clear to Send) is the optional mechanism used by the 802.11 wireless networking protocol to reduce frame collisions introduced by the hidden terminal problem. Originally the protocol fixed the exposed terminal problem as well, but modern RTS/CTS include ACKs and do not solve the exposed terminal problem.
In Wi-Fi we have three kinds namely 802.11a, 802.11b and 802.11g.
When a Wi-Fi client enters range of one or more APs, APs does the following:
• Send beacons
• Beacon includes SSID
• AP chosen on signal strength and observed error rates
• Accepts client – client tunes to AP channel
Wi-Fi client checks for stronger and more reliable APs and re-associate with the new AP.
Re-associations with APs are done when moving out of range, high error rates, and high network traffic.
AP has 14 channels and only three channels don’t overlap.
Open System Authentication (OSA) is a process by which a computer can gain access to a wireless network that uses the Wired Equivalent Privacy (WEP) protocol. With OSA, a computer equipped with a wireless modem can access any WEP network and receive files that are not encrypted.
Access points have Access Control Lists (ACL), a list of allowed MAC addresses. However, they are sniffable and spoofable.

As we all know that wireless LAN uses radio signal. This signal is usually weakened by walls, floors and other radio interferences. The way to solve this problem is by using a directional antenna since it allows interception over longer distances and provides focused reception.
Three basic services provided for the Wi-Fi environment are authentication, integrity and confidentiality.
Security services provided by the 802.11b are shared key authentication and Wired Equivalence Privacy (WEP encryption).
Wired Equivalent Privacy (WEP) is a deprecated algorithm to secure IEEE 802.11 wireless networks. Wireless networks broadcast messages using radio and are thus more susceptible to eavesdropping than wired networks.
RC4 (also known as ARC4 or ARCFOUR meaning Alleged RC4, see below) is the most widely-used software stream cipher and is used in popular protocols such as Secure Sockets Layer (SSL) (to protect Internet traffic) and WEP (to secure wireless networks).
In two devices that use Shared Key Encryption, the steps that occur are as follows:
1. The station sends an authentication request to the access point.
2. The access point sends challenge text to the station.
3. The station uses its configured 64-bit or 128-bit default key to encrypt the challenge text, and it sends the encrypted text to the access point.
4. The access point decrypts the encrypted text using its configured WEP key that corresponds to the station's default key. The access point compares the decrypted text with the original challenge text. If the decrypted text matches the original challenge text, then the access point and the station share the same WEP key, and the access point authenticates the station.
5. The station connects to the network.
In WEP safeguards, shared secret key is required for association with access point, sending and receiving data. Messages are encrypted for confidentiality and possess checksum for integrity. But the management traffic still broadcasts SSID.
An initialization vector (IV) is a block of bits that is required to allow a stream cipher or a block cipher to be executed in any of several streaming modes of operation to produce a unique stream independent from other streams produced by the same encryption key, without having to go through a (usually lengthy) re-keying process.
To commit a passive WEP attack, the attacker collects all traffic. By this, he/she could collect two messages:
• Encrypted with same key and IV
• Statistical attacks to reveal plaintext
• Plaintext XOR Ciphertext = Keystream
For active WEP attack, if the attacker knows plaintext and ciphertext pair, the keystream is known, the attacker can create correctly encrypted messages and the AP is deceived into accepting the message.
A bit-flipping attack is an attack on a cryptographic cipher in which the attacker can change the ciphertext in such a way as to result in a predictable change of the plaintext, although the attacker is not able to learn the plaintext itself.
Some vendors allow limited WEP keys from the passphrase created by users into only 21 bits of entropy in 40bit key. But this key is weaker and easier to be cracked.
A brute force attack is a strategy used to break the encryption of data. It involves traversing the search space of possible keys until the correct key is found. With this, ciphertext is captured with IV and 240 possible secret keys are searched. Lastly ciphertext is decrypted.
WEP has extended to 128 bits, which means 104 bit secret key and 24 bit IV is available. So, this makes It harder to decrypt.


Weakness of WEP:
• The initialization vector is too small (16 million IV values).
• The integrity check value (ICV) algorithm is not appropriate.
• WEP’s use of RC4 is weak.
• Authentication messages can be easily forged.
WEP cracking tools include:
• WEPCRACK – first tool to demonstrate attack using IV weakness
• AIRSNORT – Automated tool that sniffs, searches for weaker IVs, records encrypted data until key is derived.
Ways to generate WEP traffic include:
• Capture encrypted ARP request packets
• Anecdotally lengths of 68, 118 and 368 bytes appear appropriate
• Replay encrypted ARP packets to generate encrypted ARP replies.
The above ways are implemented into Aireplay.
For this entire lesson, we know that wireless LAN is not reliable and cannot be trusted. We still need firewall between WLAN and Backbone, extra authentication, IDS at WLAN/Backbone junction, and assessments on vulnerabilities in WLAN.
It is pretty easy to search for unauthorized APs, ad-doc networks and clients. We can easily do port-scanning for unknown SNMP agents and web/telnet interfaces, plus war-walking where you can walk around with your laptop and sniff data packets, identify IP addresses and detect signal strength.
There are also wireless intrusion detection tools to counter this above attacks, such as Airmagnet, AirDefense, Trapeze, Aruba, etc.
AP’s security should be reviewed. Firewalls and router ACLs should be utilized and limit the usage of AP administration interfaces. Configuration of APs should be done at SSID, WEP keys, and community string and password policy.
Station protection includes personal firewalls, VPN from station into Intranet, host intrusion detection, configuration scanning.
Locations of APs should be set at the center of buildings. Radio signal should be pointed using a directional antenna.
Temporal Key Integrity Protocol (TKIP) implements a key mixing function that combines the secret root key with the initialization vector before passing it to the RC4 initialization.
Wi-Fi Protected Access (WPA and WPA2) is a certification program created by the Wi-Fi Alliance to indicate compliance with the security protocol created by the Wi-Fi Alliance to secure wireless computer networks. This protocol was created in response to several serious weaknesses researchers had found in the previous system, WEP (Wired Equivalent Privacy).
WPA has two modes being the:
• pre-shared mode which uses pre-shared keys
• Enterprise mode which uses the Extensible Authentication Protocol (EAP), the transport for authentication.
Practical WPA attacks include:
• Dictionary attack on pre-shared key mode
• Denial of Service (DoS) attack

Lab 7 : Security in Network

In this lab, we are taught on how to
• Identify the vulnerabilities of FTP.
• Using Wireshark to capture FTP username and password.
• Explain what is IPSec.
• Enabling IPSec for securing FTP session

Short for IP Security, a set of protocols developed by the IETF to support secure exchange of packets at the IPlayer. IPsec has been deployed widely to implement Virtual Private Networks (VPNs).
IPsec protocol suites contain various protocols for performing functions:
• Internet key exchange (IKE and IKEv2)
• Authentication Header (AH)
• Encapsulating Security Payload (ESP)
We are also demo’ed on how to capture FTP username and password using Wireshark. In this demonstration we need 2 Windows 2003 VMs with one of them installing Wireshark and FTP, as well as an administrator account. One VM will act as a server and one acting as client.
To learn more on how to sniff passwords on FTP using Wireshark, please visit
http://www.securitytube.net/Password-Sniffing-with-Wireshark-(Laura-Chappell)-video.aspx

To ensure security in FTP transactions, IPsec is used. IPSec will encrypt the data sent using normal FTP connection, thus only the authorized party can see the content. There are actually a lot of ways of using IPsec. One of it is using a built-in IPsec setting in Windows 2003. Basically authentication methods and security policies can be set. Besides that, a secure server can also be set.
For more information on how to implement IPsec in Windows 2003, please visit
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3489911

Lecture 7 Security in Applications

In this lesson, we are taught about application security.
We covered on email security. Normally the security features provided in email is as follows:
• Confidentiality
• Data origin authentication
• Message integrity
• Non-repudiation of messages
• Key management
Multipurpose Internet Mail Extensions (MIME) is an Internet standard that extends the format of e-mail to support:
 Text in character sets other than ASCII
 Non-text attachments
 Message bodies with multiple parts
 Header information in non-ASCII character sets

Threats enabled by email are as follows:
• Disclosure of sensitive information
• Exposure of systems to malicious code
• Exposure of systems to denial of service attack
• Spamming
S/MIME (Secure / Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of e-mail encapsulated in MIME. S/MIME provides the following cryptographic security services for electronic messaging applications: authentication, message integrity and non-repudiation of origin (using digital signatures) and privacy and data security (using encryption).
Pretty Good Privacy (PGP) is a computer program that provides cryptographic privacy and authentication. PGP is often used for signing, encrypting and decrypting e-mails to increase the security of e-mail communications.
Web security includes:
• Security of server
• Security of client
• Network security between a browser and server.
SSL/TLS is used in web browsers and servers to support ‘secure e-commerce’ over HTTP. SSL architecture provides two layers which are SSL Record Protocol and Upper Layer Carrying.
Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. SSH provides security at the application layer.
SSH applications include:
• WRQ SSH supports SSH protocol 2 and sftp file transfers.
• SecureCRT from Van Dyke Technologies, Inc. supports the sftp protocol via its vcp command.
• SSH Communications Security offers a free client for non-commercial use.
SET is an open encryption and security specification designed to protect credit card transactions on the internet.
Drawbacks of SET are:
• Two pairs of public keys per entity
• Assumes full PKI is available
• Merchant does not see payment instrument used
As we all know how the Internet works, I will not explain on that. The thing that we should concern about is how to secure the web. The web can be secured with these methods:
• Authentication
• Access control via address
• Multilayer security
What most interests me about application security is biometrics. Biometrics refers to methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits. In information technology, in particular, biometrics is used as a form of identity access management and access control. It is also used to identify individuals in groups that are under surveillance.
Verification is a one-to-one comparison which confirms a claimed identity while identification is a one-to-many comparison which establishes the identity of a subject from a set of enrolled persons.
Biometric characteristics can be divided in two main classes:
 Physiological are related to the shape of the body. Examples include, but are not limited to fingerprint, face recognition, DNA, hand and palm geometry, iris recognition, which has largely replaced retina, and odor/scent.
 Behavioral are related to the behavior of a person. Examples include, but are not limited to typing rhythm, gait, and voice. Some researchers have coined the term behaviometrics for this class of biometrics.

Static biometric methods:
 Fingerprint recognition
 Retinal scan
 Iris scan
 Hand geometry
Dynamic biometric methods:
 Signature recognition
 Speaker recognition
 Keystroke dynamics

Lab 6 : Database Security

This lab session covered the issues of database security. We should:
• Understand the importance of security issues specifically in database systems and the problem related to information protection
• Investigate the potential implementation of security mechanism in the database management system and operating system

We were exposed about the security issues that are specific to database systems, the problem of protecting information in statistical database and examine the potential interactions between security mechanism in the database management system and underlying operating system.