Many computers, if not most, are now networked via the internet. Both at home and at work the Internet has become an essential part of many people's everyday computing experience and there has been a corresponding increase in the risks of being online. In less than a decade the internet has grown to play a key part in commerce and administration and its importance makes modern economies very vulnerable to attacks. An attack that could disable the internet for a day or so would have far-reaching consequences and its guardians must be constantly vigilant. An appreciation of the threats to security and privacy and how to provide protection against them has thus become a key part of modern education.
The Internet is great as a source of information, a medium for communications and for electronic commerce, sales and marketing. Every user of the Internet also creates information when they visit web pages, send email and carry out transactions such as on-line shopping or downloading software. Such information is valuable to someone somewhere and various individuals and organisations have ways of collecting and using it. In Europe there are strict controls embodied in data protection and human rights legislation but similar legislation does not exist in the USA so there are opportunities for leakage and misuse.
There are currently 35-40 million people working for large corporations who are using remote access; this figure is set to rise to 50 million by 2005 and to continue rising rapidly after that. Many employees work away from the office, in sales, at regional offices, at conferences and at home so the need for remote access to company networks is growing. Employees might use CDs or 'memory pens' to store their files, or rely on the hard disk of their laptops or an email account (perhaps even a public one such as 'Hotmail'), all of which are insecure and raise the need for the provision of secure means of communication to be introduced by organisations.
Many organisations and individuals are now actively seeking information from Internet users for their own purposes, some of it with the consent of the users and others without any agreement. One way of harvesting information from users is to offer free gifts such as software or an email account in return for filling out an on-line form; the user believes he is getting something for nothing but the personal details he provides (if he tells the truth!) can be used by the organisation that collects them or sold on to other organisations.
Visitor logs and server session variables may also be used indirectly - when you access a site the server can make a note of your IP address, your computer name and DNS name. A survey of 150 people at Victoria Station revealed that around two thirds were prepared to pass on their network password to a stranger; only one access point is required to plant a 'Trojan' program, from which all sorts of attacks can be generated.
Attacks on computers and computer systems come in many forms, some of which are described below. The intent and intensity of the attacks may range from inquisitive teenagers to state-sponsored electronic warfare or terrorism. A UK DTI survey in 2002 revealed that 44% of companies surveyed had suffered a 'malicious incident', i.e. some form of hack-attack.
Hacking is the term generally used for finding ways into computers that do not belong to the hackers. The targets may be soft, such as computers on the Internet without firewalls and unprotected from 'port scanning', or more challenging targets such as computers owned by a government organisation.
The terms 'hacking' and 'hacker' referred originally to people who did things with computers and gradually this was replaced with the notion of practical joker. Now the terms are more commonly associated with people using computers to gain illegal access to networks and files. The term 'cracker' has come to be used for criminal hackers.
There were a number of high-profile cases in 2000, such as the theft of 300,000 customer credit card details from CD Universe and a blackmail threat against Visa. Security has improved since then but there are still plenty of attacks taking place and companies are often reluctant to report them as an admittance of a security failure would be bad publicity.
These days every computer linked to the Internet should employ a firewall of some kind, either through a router which hides the computers attached to it or through software such as 'ZoneAlarm' or the product belatedly included in Windows XP through SP2. A firewall closes the ports that hackers might use to access a computer but this may annoy the user who reacts by turning off the firewall. The result of turning off a firewall is that a computer becomes vulnerable to attack again and, like an infectious disease, may infect others through email attachments, file swapping, etc. Firewalls need to be easily customisable so individual ports for things like music download or online games can be opened as they are needed.
A virus is a piece of software (or 'malware') that, like a biological virus, can do little by itself but requires a host to support it. With many networks and PCs now deploying anti-virus software this threat is now reduced and it is unlikely that networks will be badly damaged by them in the future - if this were possible it would have happened already. Details here.
Boot-sector viruses accounted for around 75% of all infections until the mid-1990s, relying largely on exchange of floppy discs for their proliferation. Macro viruses first appeared in 1995 and targeted data files via email so they had massive potential for damage. Early macro viruses required users to pass the infection through data files but Melissa, in 1999, was activated by the user opening an email.
Types of virus:
| Macro-Virus: Melissa | Email: ILoveYou | Boot Sector | Trojan |
A worm is a piece of software that can slow computers and networks to a crawl or stop them altogether by demanding memory resources and overwhelming them. The first Internet worm was created by Robert Morris in 1988, the son of a senior computer security expert, who wanted to see what would it would do - it worked and the Internet was shut down for almost 24 hours (though it was still largely a military and academic network then, there was little in the way of e-commerce). Worms are particularly powerful attacks because they are designed to replicate through email, sending a message to everyone in an address list and attaching a copy of itself.
Worms are mainly targeted at computers running Microsoft Windows and are often created in VBA (Visual Basic for Applications), the macro language of MS Office. One well known example was the Melissa worm (1999), which saturated email servers by sending copies of itself to people in email address books; the cost of the damage and clean-up was estimated at $400m. Other worms have appeared since then and have caused problems on the internet by bringing down servers and damaging personal computers. The CodeRed did not spread by data files but instead attacked a vulnerability in MS Internet Information Server, using the buffer overflow technique. NIMDA did not require execution by a user but exploited a vulnerability in Internet Explorer to launch itself automatically. NIMDA included viral code that attached itself to HTML pages so the infection could be spread from an infected server.
Worms and viruses have become significantly faster in their ability to spread infections, from months a decade ago to hours today. There are now more devices and networks for malware writers to attack, for example mobile phones and PDAs, which operate outside traditional network security. Examples of such new threats include Cabir, Duts and Brador.
Worms and viruses represent a real threat to the Internet and other communications systems and to the services that they support, which is a great deal. Traditional network security relies on having 'walls' around computer systems but the it is now believed that security should be 'perimeterless' and employ techniques such as strong authentication and encryption to ensure that all networks are secure.
| Slammer | Sasser | MyDoom | CodeRed |
| KAKWorm | W32.Blaster | W32.Welchia | Blast |
Software is readily available that will scan the internet for IP addresses where there is no security and hackers can gain access to other people's computers.
Hackers who gain access to another computer can place a program there that can send information from the computer back to the hacker or serve as a platform for launching other attacks such as Denial of Service (DOS) and spam propagation. These programs are known as 'Trojan horses' for their similarity to the trick played with the wooden horse at Troy. Also known as a Remote Access Trojan (RAT) these entry points can be used to launch or coordinate other attacks on networks or the internet, especially a DoS (Denial of Service). They can also be used to direct information from the infected computer to another location.
Install a piece of software somewhere on the internet that can read TCP/IP packets going to and from a particular address. Useful articles here and here.
A DOS attack is one where the hacker attempts a 'denial of service' to a computer user or service. One way this might be achieved is by flooding a site with requests for a resource such as a server or a website. Hackers often use someone else's computer to do this, having first installed a 'trojan horse' into some unsuspecting person's computer to enable them to launch an attack.
A 'distributed denial of service' attack is one that is launched from many computers that have been taken over by a Trojan (RAT). The use of other people's computers hides the identity of the hackers and the volume of computers makes the attack very effective - there is little defence against this. Mobile computers on unsecured, unencrypted networks may be an easy target for a RAT, as may PCs using broadband without a firewall. Hackers have devised a series of codes written on walls in chalk in areas where there is an unsecured wireless network (known as 'warchalk') and Internet Relay Chat (IRC) is also reputed to be insecure. In this way hackers may gain access to a large number of computers without the knowledge of the users and then deploy them in a DDoS attack.
When a number of computers have been captured (become zombie-computers) they can be sold on to people who want to exploit them.
This involves taking addresses from an email directory as the basis of a spamming campaign.
Attacks aimed at the operating system using tools such as port scanning, a virus and RATs (Remote Access Trojan).
A scam is a rip-off, defrauding someone of money or valuable item by a confidence trick. 'Snake oil', for example, was often touted at fairs as a cure for all sorts of ills - this is why Clifford Stoll uses the term 'silicon snake oil' when talking about the role of computers in education. Alchemists were a type of fraudster found in the 16th and 17th century - they claimed they could turn base metal to gold; in Ben Johnson's The Alchemist members of the public are 'gulled' by Dr. Subtle. More recently movies such as 'The Grifters' have shown a range of scams operating in the present day.
Fairgrounds are traditionally places where rogues and thieves operated scams such as fortune telling and a range of games with impossible odds. In the modern era various people have turned to double glazing, water purification and solar heating systems, to name but a few, to fool unwary members of the public.
Fraudsters have also turned to the internet as fertile ground for practising their craft. 'Phishing' is one example of a scam. This is a scam where criminals try to get personal and financial data from email account holders. An email is devised to look like an official communication from an organisation such as Amazon, Ebay or a bank with a story along the lines of 'mix up at head office... do you still want to trade with us... please submit your credit card details...'. If only a handful of people fall for this the criminal may profit handsomely from the credit card details supplied; as suggested earlier, people are easily fooled.
The tell-tale signs of a 'phish' include requests for items like PIN, security password, security code (on the back of the card), which no genuine organisation should ask for; the lack of an 's' in what should be 'https' for a secure site is also a give-away (even though many such phishes claim to be from secure sites!). For details on secure sites see the section above.
The volume of junk email created by a relatively small number of sources can overwhelm users' mailboxes and make email difficult to use. Some of these unsolicited emails may be pornographic and sent to children, which is one issue, while the sheer volume of junk may deter other users from using email at all.
According to IBM, in 2004 around 70% of the world's Internet traffic was accounted for by an average of 24.8 billion unsolicited emails per day. Some estimates put the amount of spam email at around 80% of total emails sent. This represents a considerable expense to businesses and other organisations, in the hardware required to store it and in the time and money spent blocking and removing it.
In 2002 it was estimated that the annual cost of spam in the US alone was $8.9 billion and this has certainly risen further since then as attacks have become more sophisticated and pervasive. Some sources estimate that personal email-based filing systems contain up to 80% of an organisation's unstructured data assets.
The problem stems from the fact that email was designed, in a more innocent age, to be easy to use and anonymous and email has replaced the telephone as the primary mission-critical communications channel.
To make email viable many users now employ 'spam-busters', software designed to block emails that are not from a recognised source. This is difficult, of course, as you may configure the software to accept only those emails from recognised sources but this may exclude emails that you would have wanted to see.
The rules for the software need to be flexible and effective. First-generation spam-busters operated on the content of the message so could block, for example, emails containing the word 'V i a r g a' (sic: trying to prevent the filter from blocking this page!), but this is clearly no use to health professionals. Similarly, emails containing expletives from dissatisfied customers may be valuable to the companies receiving them - it is relatively easy to mistype words and have a message blocked! The success of spam-blockers has to be judged not just by how much illicit mail is blocked but also by how little genuine mail is blocked.
One vendor of an anti-spam product (Barracuda Networks) uses a layered approach to protection. A network layer checks against mass mailings that may be DoS attacks and nine other layers include tests against known spammers IP addresses, virus checks and user-defined tests.
Governments too have become involved in spam-busting. EU laws could soon make it necessary for a user to give explicit permission to receive unsolicited junk mail. Within such laws there are plenty of companies that would want to continue marketing by email but staying within the law.
The main law in relation to email marketing is the Data Protection Act 1998, which imposes general requirements on companies regarding how they collect and use email addresses. The key requirement is that personal information must be used only for the purposes for which it was collected. It is relatively easy to get round such legislation by basing email marketing outside the country concerned.
Other laws affecting email include the Electronic Commerce Regulations of 2002, which require companies to label commercial emails and identify if they are unsolicited, and the European Communications Data Protection Directive, 2002, which enforces a rule that individuals should only receive emails to which they have actively subscribed.
A Cookie is a small text file that is left on the user's computer after he has visited a web site. The cookie holds personal details about the user such as his name and other details that the web site will use to track the user around the site. Data from online purchases may also be used, indirectly, to help organisations target users with promotional material about things that they might be interested in.
Computers can be secured against theft and loss or compromising of data by securing them with a lock. This may seem obvious but there are many cases of theft or loss where the user has been careless or negligent.
Everyone is familiar with the notion of a password. Passwords can be cracked quite quickly if they are based on names (wife, husband, dog, etc., just find them out) or with a dictionary if they are based on common words. (What if they are foreign words? Hakuna Matata!) Even made up passwords can be discovered, though these may take more time (random sets of letters and digits, harder to remember but also harder to crack).
Passwords should be changed regularly - the system often forces people to do this, though you can often use the same password or cycle through a small set (railway stations, footballers, film stars...).
This provides the means to encrypt data such as emails and files so that it cannot be read by other agencies during transmission. Cryptography has a long and colourful history (Julius Caesar, Mary Queen of Scots and the Nazis and Alan Turing all feature in it) but in the computer age it has grown into something that almost anyone can use.
Cryptology is the general study of cryptographic systems, cryptography deals with encryption (encrypting plain text) and cryptanalysis deals with decryption (converting encrypted text to plaintext). For some details: public key cryptography.
Some companies produce card readers that will lock out anyone who does not have an appropriate card and password combination.
This provides a means of establishing that a user is really the person they claim to be. The most common form of authentication is by user name and password but for more sensitive access this may not be enough. For example, a trading site such as Amazon or EBay that requires transmission of credit card details, or a bank site that reveals personal financial details and allows electronic transactions must be secure against hackers. When users log on to these sites they need to be sure that the site is really the one it appears to be and not some spoof with a similar address (.co rather than .com, for example).
IPSEC is a set of general-purpose protocols for protecting TCP/IP communications, which are most commonly used to protect traffic between hosts rather than between users. It functions at the network level of the TCP/IP stack and so encrypts TCP/transport level data (packet order) and also application level information.
IPSEC is designed to protect all types of internet software (www, email, ftp, telnet, gopher), prevent forgery, preserve privacy and to allow secure use of an untrusted network (the Internet). IPSEC is configured so that protection is provided automatically rather than requiring a special effort by users.
Under IPSEC a packet header contains a SPI (Security Parameter Index), which identifies the keys and procedures to use. One type of header is the Authentication Header (AH), which contains a cryptographic checksum that can be used to check for errors and changes by third parties during transport. The checksum is also known as a one-way hash function. The AH includes a packet's IP header in its computation so any changes in address can also be noted.
Another type of header is the Encapsulating Security Payload (ESP), which encrypts the packet's contents. The standard method of encryption is DES with CBC (Data Encryption Standard, Cipher Block Chaining). DES is a common encryption standard developed by NSA (National Security Agency) in the USA. IPSEC can also use other cryptographic techniques such as RC4 and 3DES.
IPSEC provides management of keys with SKIP (Simple Key Exchange Protocol), which allows automatic exchange of keys between users using, for example, the Diffie-Hellman key exchange method. Key exchange is an important issue is cryptography. Without public key systems each user on a network would need a separate key for communicating with every other user. With four users this would mean (n (n-1))/2 keys or 4*3/2=6. With 10 users the same formula applies so 45 keys would be needed; with 1000 users 450,000 keys would be needed, and so on; the number of keys required quickly becomes unmanageable. The use of public keys under algorithms such as those provided by Diffie-Hellman and RSA means each user has just one public key that anyone can use.
IPSEC can be used to provide VPNs (see below) and security for remote or mobile users.
These are named after the firewall found on steam trains that was designed to protect the passengers from burning coals and serious fire (bad for business). They may be software on a single computer or hardware devices or dedicated computers with firewall software.
Firewalls protecting corporate networks, such as those in schools, universities, public organisations and companies, are typically hardware devices while those protecting individual PCs (and mobiles) are generally implemented in software. A hardware firewall is a router through which all internet communications pass before they are allowed into or out of the corporate network. Different internet services use different ports and the firewall configuration software allows individual ports to be blocked. Some firewalls may include integrated encryption services using IPSEC.
There may be a computer designated as a 'bastion host' attached to the network which deals with internet requests for packets going out of and coming into the network. This will be located in the Demilitarized Zone (DMZ) between the exterior and interior routers/firewalls. The bastion host may be set up as a proxy server, which processes internet requests and can also provide a large cache of downloaded pages. A proxy server can also be used to block packets with certain addresses (e.g. pornography, games, chat rooms, mobile phones, hackers...). Another technique is Network Address Translation (NAT), which is where internal IP addresses (which may have duplicates in other networks) are translated into a valid external IP address before packets are transmitted; similarly packets from the internet are translated into internal IP addresses.
The rise of broadband means that home users also need to have firewall protection. There are a number of software products available but routers and firewalls are also included in broadband 'modems' so features similar to those found on a corporate network are available to home users for relatively little cost. Protection is needed so that hackers cannot gain access to a PC, for example through port scanning and a RAT, and steal data, damage the computer or harness it for a DDoS attack. All internet users need to be aware that their personal data may be compromised and incriminating trails may lead to their computers even when they are entirely innocent and unaware of the activity.
A port is a virtual gateway between a computer and the internet, effectively a memory location mapped to input and output through the communications link. These ports are opened up when an internet connection is made. Each application has a dedicated port, for example email software uses port 110 on a server to get mail and port 25 to send mail while ftp software generally uses port 21.
Personal firewalls examine the data packets created by TCP and decide from their contents what to do with them. The packets include information such as the sending computer's IP address.
SSL was devloped by Netscape Communications as part of their security package for the World Wide Web. The Netscape Commerce Server uses SSL to provide secure web services and the Navigator was the first browser to provide the corresponding client. SSL relies on public key cryptography and key exchange to set up secure encrypted links between the server and the client.
SSL combines the features of three separate IPSEC protocols and applies them to protection in the transport layer of the TCP/IP stack. The three protocols are authentication, encryption and key exchange, as in AH, ESP and SKIP.
A Certificate Authority, which may be a private company or a government body, can issue certificates that will verify that an organisation is definitely the one a user thinks it is. This is important in online commerce where a user wants to be sure that he really is dealing with, say, orinoco.com, and not with a spoof.
When verification is received the user can proceed to submit his credit card details knowing that they will be encrypted before they are transmitted (and so are not vulnerable to, for example, packet sniffing). This is achieved with SSL which provides verification that the web site is official. A web site verified with a certificate and encryption by SSL is identified by the https protocol.
A Virtual Private Network provides a protected or private network in the public space of the internet. VPNs are often referred to as 'tunnels', which gives some idea of how they work, providing a distinct and separate environment in which communications can take place. A tunnel can be regarded as a 'virtual circuit', that is a point-to-point connection through the Internet that is temporary and private and protected for the duration of the connection. The Layer 2 Tunnelling Protocol (L2TP) and Microsoft's Point-to-Point Tunnelling Protocol are important standards in VPN technology. The 'tunnel' analogy, however, can be misleading as messages inside a VPN pass through the same routers as any other internet traffic and it is only techniques like encryption and authentication that keep the data safe.
Users can choose to obtain there VPN from a third party such as an ISP (a 'trusted' or 'managed' VPN) or provide one themselves (a 'secure' VPN).
There are two main methods for creating a VPN, IPSEC and SSL. IPSEC provides a Layer 3 connection that should terminate at a firewall and provide access to resources in a DMZ - this will give users full access to the resources in the DMZ such as servers. This is useful for persistent connections between networks such as company offices and also for technical staff or people who must have access to particular resources such as applications. IPsec will almost certainly involve the use of Internet Key Exchange (IKE - automatic security negotiation and public key management), which adds to the complexity and expense of this approach.
SSL is more likely to be used for individual remote connections from home or by mobile users. SSL provides either a layer 4 or a layer 7 connection that can pass through firewalls to provide access to specific applications such as email (SSL is built into MS Exchange 2003, for example, in the Outlook Web Client).
When a client establishes a SSL connection it performs a 'handshake' with the server. During this process the client authenticates the server's certificate and public ID and then sets up a session key for the encryption of the data exchanged. SSL is easier to set up and cheaper to deploy and is growing in popularity, even though it does not provide the same level of access as IPsec, for example there is no network share and file access. It is a good system for mobile users as it requires little in the way of local software, but it is processor intensive and more limited than IPsec in the number of clients it can handle. SSL data can pass through proxies, routers, firewalls and NAT, which is very convenient.
A Demilitarised Zone (DMZ) is a space in a network between the corporate firewall and the network proper. There may be a firewall on either side of the DMZ. Servers that communicate with the outside world (such as a web server or email server) are kept in the DMZ, between the firewalls, while those that are used internally (such as an intranet or a database application) are kept inside the internal firewall and can only be reached from a network terminal.
Use the operating system to encrypt data, for example Tools/Options/Security in Office applications allows you to encrypt your files in various ways and protect them with a password.
MIME is Multipurpose Internet Mail Extensions. S/MIME is a MIME document that has been encrypted to make it secure.
A user who has a private key can use it to 'sign' documents that can be read by the user's equivalent public key. The public key confirms the identity of the private key owner but does not give away the private key, confirming only that they are a matching pair.
A body known as a Certificate Authority (CA), which may be a private company or a government body, can issue certificates to organisation that will verify that the organisation is definitely the organisation a user thinks it is. This is important in online commerce where a user wants to be sure that he really is dealing with, say, Orinoco.com, and not with a spoof.
A Certificate Authority will sign all the certificates it issues with its own private key so certificates cannot be forged. Certificates provide each user with a private and public key. Anyone wanting to contact an organisation can use its public key (the organisation can decrypt it with its private key).
The public certificates of CAs are embedded in web browsers so that they can be matched with the private key embedded in certificates from organisations who claim to have one. The list of CAs is known as the 'Trusted Root Database'. Thus the server at, say, orinoco.com, should have a certificate obtained from a given CA and this will contain the private key of the CA, which can be matched with the public key in a user's browser, thus ensuring that the company is really who it claims to be.
Certificates can be created with web server software for use within an organisation, for example within an intranet
To address the problem of Spam and other forms of junk mail a number of efforts have been made to block it. Spam filters include a number of rules that a user can configure so that email can be blocked by criteria such as originator and content.
Some governments believe that they should have the right to inspect any private communication if it is thought to be linked to crime or subversive activities such as industrial action or terrorism. In the early 1990s the Clinton presidency attempted to force through acceptance of the 'Clipper' and the 'Capstone' chips, hardware devices that would be added to computers to provide encryption that government agencies could break. Capstone is targeted at email while Clipper is for encrypted telephones; both use the SKIPJACK encryption system.
Clipper and Capstone rely on 'key escrow', whereby the 'family key' of every chip is recorded against the registration number of the chip and held by a certified authority. The family key is built into the chips and the chips encode a 'LEAF' field (Law Enforcement Access Field) into every message. The LEAF field includes the session key for encrypted transmissions and this can be decrypted from the family key held by in escrow by the authority so that the message can be decoded. In this way any message encrypted by a Clipper or Capstone system can be decrypted by a law enforcement agency acting under the permission of a court. The American government was keen to enforce the use of the Clipper and Capstone systems in systems produced for export (encryption systems are regarded as military products, see the section on PGP).
This approach to encryption was controversial to people concerned with civil liberties as it appeared to make privacy impossible. It is easy to reply with the 'nothing to fear if you're innocent' argument and in the current climate of terrorism and counter-terrorism governments find it easier to get their way. The methodology of Clipper and Capstone is also controversial because it involves sending the session key with the message, albeit in a form that is very hard to decrypt. Adding Clipper and Capstone to products makes them more expensive due to the increased security precautions required during manufacture (no use if the family keys are stolen!), increased complexity and design constraints and the funding of the escrow agencies.
The FBI has a system for collecting information from IP packets at ISPs, a system that was once known as 'Carnivore'. It consists of 'The Collector', a packet reader that is installed at an ISP to read packets and inspect their contents. This is similar to a 'packet sniffer', a piece of software that reads the contents of packets and can collect information from them.
Governments get involved with computer security when national information assets are at risk, such as financial, government or agency networks. Since the attack on the World Trade Center on September 11, 2001, governments have become increasingly aware of the threats posed by cyber-terrorists and there is a new determination to make networks completely secure. 'Information warfare' can be waged at relatively low cost against a wealthy country because conventional military hardware is not required (for this reason the term 'asymmetric warfare' is also used).
| PGP | Armadillo USA: GateKeeper | DSE Net |
| SurfinShield Corporate | MFX Verify | PacketHound |
| Window Washer | WinGuardian | Zone Alarm |
| BlackIce Defender | Norton Firewall | SyGate |
| BioMouse Fingerprint Scanner | BioMouse |