ITGS

Security

Authentication

How Secure is my password? is a site that performs similar calculations to this exercise, while Microsoft's Password Checker simply assesses the strength of a given password.

Exercise 5~1 - Consider the passwords that you use for common tasks like logging into your computer, email, social networking sites, and so on. How many of those passwords meet the criteria in the table below? How many of your passwords would you consider strong?

Password for Password length (characters) Password uses numbers? Password uses uppercase and lowercase? Password uses symbols? Password age (last changed?)
Windows          
Google          
Email          
Other          

In 2006 Mythbuster proved that biometrics has issues.

As you watch the videos below, ask yourself:

Assignment:

At the 2001 Super Bowl, a new biometric technology was tried out on sports fans for the first time. Facial recognition software, linked to security cameras at the stadium entrances, scanned the face of everybody entering, and compared them with a police database of known criminals.


Hacking

We will analyze the subculture of hacking, its potential threats and implications for individuals and societies.

Hacking refers to gaining unauthorized access to computer systems. This is usually done by exploiting weaknesses in the target system's security, such as problems with network security or vulnerabilities in specific software being used on the system. We will start by watching the following video:

The Telegraph's Five of the biggest hacking attacks is a good introduction to hacking and its social impacts. Security lapses at Apple and Amazon lead to an epic hack is an excellent resource explaining how a major hack was performed using a variety of techniques, including social engineering.

With information technology systems becoming ever more ubiquitous, more and more systems are potentially vulnerable to hacking, including transportation systemstelevision stationstelephone networks, and even electronic hotel door locks. Many organizations also store customers' personal and credit card data and passwords, making them tempting targets for hackers. Multiple companies, including AT&TSonyMcDonalds and Twitter have been the victims of such attacks.

Hackers sometimes take novel approaches to their crimes: in 2013 a group of Australian hackers broke into a CCTV network at a casino (Wired) and used it to watch other players' hands - winning $33 million before they were caught.

Social Engineering

Hacking humans is an article from the Washington Post explaining just how easy and effective social engineering attacks can be. Using social media to launch a cyberattack discusses the risks of revealing personal information on social networks and explains how criminals can use this against you. My career as a professional bank robber is a first hand account of a man who used to use social engineering techniques to commit crimes.

Read an article on the 15 Greatest Hacking Exploits.

From home, access the SlaveHack web site. This site features a completely safe and virtual environment that allows you to learn  about hacking by participating in an online game that teaches you some of the techniques that hackers use to break into computers.

Can you solve this!!! Puzzlers World - Hacker Puzzle

Assignment

After research about hacking, please take a moment to think about the social and ethical consequences of hacking


Malicious Software

Viruses, Worms, Trojan Horses, Spyware, Rootkits, Malware, Denial of Service, Drive-by Downloads... oh' my!

Mikko Hypponen: Fighting viruses, defending the net TEDGlobal 2011 · 17:34

Research the following infamous computer viruses and worms

Assignment

You are to create a presentation (Prezi etc.) of one of the above internet threats. Your presentation should include the following:

Be sure to distiguish between:

  1. Phishing & pharming
  2. Botnets
  3. Keystroke monitoring
  4. Spyware, adware & spam
  5. Viruses-worms-trojans
  6. Spoofing & Identity theft

Think you can outsmart the Internet scammers - Take the Phishing Quiz

Passed that one? OK, then try the Pharming Quiz

Resources


Spam

Spammers often take advantage of people's interest in gossip and breaking news, frequently 'hijacking' the latest story by sending emails purporting to offer more information.Hi-tech thieves target Olympics (BBC) and The Michael Jackson spammers  (BBC) illustrate this well.

Despite the inherent difficulties caused by the nature of the Internet, spammers and botnet creators are sometimes caught, as 'Spam gang' leader faces $15m fine (BBC) , Spam text message pair are fined £440,000 (BBC), and Jail sentence for botnet creator (BBC) prove.

Assignment

Some people have suggested that making a small charge for sending an email could drastically reduce the problem of spam. Even a price of one cent per email would make mass emailing expensive but be minor for most users. Discuss the effectiveness of this solution. [8 marks]


Phishing

SonicWALL Phishing IQ Test and Anti-Phishing Phil are two resources that test a user's ability to spot phishing attempts - they are both harder than you might imagine!

How to Recognize Phishing Messages (Microsoft) and the Anti-Phishing Working Groupare valuable resources for advice on avoiding being a victim.

Vishing attacks are phishing attacks that are performed using VoIP systems.

Protecting your business from phishing attacks contains useful advice.


Encryption

http://users.telenet.be/d.rijmenants/en/enigmasim.htm

After learning about hacking and how it compromises data security, we will learn about the next step in protecting data, by means of encryption.

Make any enquiry about computer security, and you will almost immediately fall over the terms cryptography and encryption (and also decryption), but what exactly is meant by this? The Oxford English dictionary, defines cryptography as hidden writing. It has been around for a very long time. The Ancient Egyptians, the Arabs and the Romans developed their own encryption systems.

The most famous encryption machine invented was the Enigma (see picture on the right - Click picture for Enigma Similation), used in the Second World War to send military messages.

How does cryptography & Encryption work?

One of the best examples of early cryptography is the Caesar cipher, named after Julius Caesar because he is thought to have used it even if he didn't actually invent it.

It works like this. Take a piece of paper and write along the top edge the alphabet. Take another piece of paper and do the same thing. You should then have two lines of letters like this:

ABCDEFGHIJKLMNOPQRSTUVWXYZ
ABCDEFGHIJKLMNOPQRSTUVWXYZ

Now write your message. SEND MONEY TONIGHT

Move one of your pieces of paper along to the right one or more letters so that they no longer line up. That should look like this:

ABCDEFGHIJKLMNOPQRSTUVWXYZ
YZABCDEFGHIJKLMNOPQRSTUVWX

Now every time you see a letter of your message in the top line, write down instead the letter on the bottom line.

SEND MONEY TONIGHT becomes QCLB KMLCW RMLGEFR

What you have done is performed a cryptographic transformation (encrypted) your message.

Secret key encryption

The method described above, where the same key is used for both encryption and decryption, is known as secret key encryption (also called symmetric key encryption or single key encryption). A fundamental problem with this approach is that the key used for encryption and decryption must be kept secret. If someone discovers the key they could:

Diagram of the secret key encryption (symmetric key encryption) process, from page 107 of the book.

Public key encryption

A much better approach is public key encryption (also called asymmetric key encryption). This uses a key pair: a public key which is used only for encryption, and a private key which is used only for decryption.

Diagram of the public key encryption (asymmetric key encryption) process, from page 107 of the book.

Diagram of the biometric enrolment and authentication process, from page 92 of the book.

Digital signing & digital certificates

When Bob receives a message from Alice, how can he be sure it was really Alice who sent the message?

digital certificate can be used to authenticate the sender of the message. Alice uses her private key to digitally sign her message. When Bob receives the message he can use Alice's public key to verify that Alice was the real sender.

However, how does Bob know that the message is from the correct Alice? An imposter could have claimed to be Alice and given Bob her own public key. To solve this problem , Bob can use Certificate Authority (CA) to verify the owner of the public key. Certificate authority's are resposibe for issuing digital certificates  (key pairs) to organisations, after checking their identity.

We will first learn the basics on cryptography from the Encryption Tutorial. Another simple source is What is Cryptography? at WiseGeek.

Encryption ethics

Encryption is essential to many industries, including e-commerce and banking. Without encryption it would be too risky to purchase anything online.

However, strong encryption effectively guarantee that nobody without the encryption key can view the plaintext - including law enforcement officials. Different solutions have been suggested. The USA has proposed key escrow, where an authorised authority holds users' encryption keys, and reveals them to law enforcement if requested.

In the year 2000, the UK passed the controversial Regulation of Investigatory Powers Act (RIPA) which required users to reveal their encryption keys when requested by authorities. Failure to do so could result in a two year prison sentence.

Read the following three articles which discuss the potential problems caused both by criminal and terrorist use of encryption, and by attempts to control the use of such technology:

Crypto kids - puzzles explanations

Assignment

After studying some of the methods and algorithms for encryption, we need to understand how this is done in real life.

Suppose you are an IT security consultant, and one of your clients asks you to review for him the varios options (free and paid) that exist for encrypting sensitive data in his hard drive. Answer the following questions:

Answer the question in a Word file. This file must be sent to my @natomasunified.org account, in encrypted form, together with another unencrypted file that explains how to decrypt it, and why you have chosen that particular software.

Resources: 


Wireless Security

10 Tips for Wireless Security

Assignment:

  1. Define the term WPA. [2 marks]
  2. Distinguish the terms spam & phishing. [4marks]
  3. Explain the process through which data is encrypted using public key encryption. [4 marks]

Security Overview

Part 1

Create a survey that can be used to assess people's understanding of good computer security practices. The survey should focus on the methods people use to protect themselves and their computer, rather than testing any technical knowledge. You might want to create different levels of answer, for example for the question "Do you use antivirus software?", the poorest answer would be No, the next answer would be Yes - but it is not up to date, and the best answer would be Yes-updated regularly. Give your survey to a number of people (over 10). What do your results tell you?

Part 2

Use Desktop Publishing (DTP) software to create an advice booklet called Computer Security for Beginners (or something similar). This should be designed to be handed out in a computer store to people buying a new computer for the first time. The booklet should detail the most common security problems, their effects on people, and their solutions. The emphasis should be on reliable, practical advice and tips that users can follow to improve the security of their computer. You might want to include both solutions and preventative measures.