 On Tuesday, introducing some terminology and some concepts about generally computer security and one thing we spoke about, we have attacks, sometimes called threat actions, attackers, malicious users or threat agents and we can have a set of consequences of a threat and a threat action and we looked at some classification of different types of consequences, things that can go wrong and what can cause them and we ended up, this is the scope of computer security saying that a computer system may be made up of multiple computers that communicate across some network. This is a simplistic diagram where we have two computers communicate across some network whether it's across a single link or it's across the entire internet but some network and we have users that use those computers so that human users access those computers so different things we care about with computer security is how those users can access those computers, something like authentication, checking that the human user is someone who is authorised to access that computer. You know that you have logins for computers so that you need to provide a username and password to prove to the computer that you are a person authorised to access that computer. In fact, our third topic is about user authentication. If we look at the internals of the computers, we have software processes running, we have the computers made up of hardware, we have software running on them, we have data on those computers so we need different controls for the software to access the data and to provide permissions as to what it can and cannot access and we need some controls of the information sent between computers across network to make sure that some malicious user cannot get unauthorised access to the information sent across the network, for example. So computer security includes network security but also security of the internals of the computer and security of the human users and how they use those computers. Let's focus a little bit about the communications or the network aspect. When computers communicate with each other, what do we care about with respect to security? We can say there are three different aspects. We can look at attacks, the mechanisms that we use to try and prevent and detect attacks and the service that we try to provide using those mechanisms and the six main services that we may try to provide are listed here. Shall we go through this on Tuesday? Yes? They all clear? So briefly, authentication makes sure that the entity that we're communicating with is who they say they are. Whether it's computer to computer or human to computer, we want to check that this entity is not pretending to be someone else. This control, controlling access to resources like block people from accessing the printers inside SIT or allow them to access this server but not this server. Data confidentiality, keep our messages private, secret or confidential. That's a common service that we want to provide. These are what we may want to provide to the users and the computer system. Basically, make sure that the data is not modified in an unauthorized manner. Make sure that if we have some data on a server or sent across the network that we can detect if it's changed in some unauthorized manner. Non-repudiation, make sure entities can't deny that they've communicated. Some entities send messages but then later say they didn't send the message, well that can be a problem. Non-repudiation is providing a service such that that can't happen. Availability, make sure our computer system is available to the users. These are services that we often want to provide in a computer system and in a computer network. We may not want to provide all of them at the same time. It depends upon our requirements and our security policy and attacks, especially with respect to communication networks or lines, a line may be a single cable but we can generalize to an entire network. What types of attacks are possible on networks? First we classify as either passive or active and we'll come back to what they mean after we go through the individual attacks. Within passive there are two types of attacks and then within active four types. First go through those six and then come back and explain what is passive and active and what are the differences in terms of detection and prevention. These are diagrams taken from another textbook by the same author as the one that we're using but more focused on network security. But a simple illustration of the six attacks. The first attack, release message contents and it's maybe the most common one we think about when we talk about security and network security. That is an attack where the contents of some message are released to unauthorized people. I send a message to someone and I don't want other people to read it and attack is such that other people get to read that message. So what this diagram illustrates is that we have two normal users, Bob and Alice. They are the normal users of our computer system or our network. We have some network, this cloud. And normally in this scenario Bob sends messages to Alice and an attack on this is that Bob sends a message to Alice. Some malicious user, the attacker, Darth, somehow intercepts the message and reads the contents of that message. So that is an attack if the contents of that message was supposed to be confidential. For example Alice is a secretary and Bob is a faculty member sending the exam to the secretary to print across the network as an email attachment. And Darth is some student and normally we don't want the students to be able to read the exam before they are available and in this case Darth performs an attack such that he can intercept and get a copy of that message and read the exam. The contents of that message has been released to unauthorized people. So we don't want that to be able to occur in many cases. That is a common service or a common service we want to provide is data confidentiality. If we provide data confidentiality this attack should not be able to occur. How does Darth intercept the message and read it? Well we will see different ways that that can be done so we are not going into that detail just yet. How do we stop Darth from getting the contents of the message? Any ideas? You send a message to someone else and you don't want other people to read the message. You send it across the internet or across a network in general. How can you stop other people from reading the message? Encrypt is the most common technique, the secure technique. Rather than stopping Darth from accessing the message or receiving or intercepting the message that's hard to do in many cases. So it's hard to stop Darth from somehow getting access to this network and seeing the messages. So assuming Darth can intercept messages across the network what we want to do is stop Darth from being able to read the contents of those messages. So what we do is that the sender before they send the message they encrypt that message. Transform the message into some ciphertext which we will explain later but some form such that even if Darth can intercept and get a copy he cannot understand what the original message was. He cannot decrypt and get the original message. But Alice can decrypt the message and get the original message. So the next topic and we will get on to that today is what is encryption and how does it work and what are the different algorithms we have available for encryption. So encryption solves this problem in most cases. Encryption is a security mechanism that we use to try and prevent this attack. Just going back we said there are attacks, services, what we want to provide and then we will use mechanisms to try to provide those services. Encryption is an example of one mechanism. Let's look at the other attacks. Traffic analysis. Bob sends messages to Alice at the normal operation. But then a malicious user Darth intercepts messages. I think those messages are encrypted so Darth sees that there is messages being sent but he cannot read the contents of the messages. So even if we use encryption Darth may be able to learn something about what is happening by analyzing the frequency of the messages being sent, what time of day, how many messages are sent, what size the messages are, by analyzing the traffic between two entities, by analyzing the messages between entities, an attacker may be able to learn some information that they wouldn't be able to know without analyzing it. So this is an attack, a traffic analysis attack where the malicious user observes the patterns of communications. That doesn't necessarily read the contents of the messages but just sees that there is a message from Bob to Alice. Let's say Alice and Darth are married, husband and wife, and Bob is not married to Alice of course and Bob is sending messages to Alice at some strange time of night. Every five minutes and the husband here is trying to observe, is my wife talking to someone else at midnight and who? Well Bob and Alice are smart enough to encrypt their messages so Darth can't see the contents of those messages but maybe Darth can make some observations because Alice told him this morning that she is going to bed at 12 o'clock but instead she is chatting with Bob. By observing the patterns of communications, time of day, time of date, the frequency of the messages and even the size of the messages, we can start to make some observations about what's actually happening. The more maybe realistic scenario, Bob and Alice are known terrorists and so they are known by some law enforcement agency, they are sending encrypted messages and the law enforcement agency is monitoring their communications. They cannot see the messages they are sending to each other but they know when they are sending a lot of messages and when they are sending few messages and maybe from past behavior they can observe on this day of the month they send a lot of messages that may mean a prelude to an attack or something. So by using other information the malicious user can learn about what's going on. This raises a point, the malicious user or the attacker may not necessarily be a bad person or may not be doing something unlawful. Just because we say that an attacker or malicious user, it may be what they are doing is good and or legal, so it doesn't mean they are doing something illegal or bad. So analyze the patterns of communications is an attack, masquerade attack, pretend to be someone else, that's what that means. Alice is the finance officer for SIT, Bob is the director and what happens is at the end of the year Bob normally sends a message to the finance director saying give this person a pay rise, reduce this person's salary and then Alice does that on the accounts and their salary changes. Darth is a faculty member and sends a message to Alice saying increase Darth's salary by 10,000 baht, signed by Bob. Darth sends a message pretending to be Bob the director, Alice receives a message from Bob, increased Darth's salary by 10,000 baht, so she implements that. So this is an attack where our malicious user pretends to be someone else to achieve their goal. What technique can we use to try and prevent or stop that attack, detect that attack? How can we stop that from happening, anyone? We need, generally we cannot stop Darth from sending messages to Alice. So what we generally need is some form of authentication such that when Alice receives a message she can verify who really sent that message. The message says from Bob but we need some other mechanisms to check. Is it really from Bob or just someone pretending to be from Bob? So authentication is the service related to stopping this attack. We'll see those mechanisms again in the next topic and that's related to this rather famous comic on the internet, nobody knows you're a dog in that on the internet there's no inbuilt mechanisms for authentication in most cases. So how do you know who the person you're communicating with across the internet? How do you know who they are? Well, we need some special mechanisms to make sure we can detect who they are or verify. Another attack, replay. Again, the director sends a message to Alice at the end of every month, let's say, increase the salary of this faculty member by so many baht. And he sent a message to Alice saying increase the salary of Darth by 10,000 baht, he did good work. Darth receives or intercepts and takes a copy of that message. And next month, Darth sends the exact same message to Alice. He replays that message that was sent in the past. Alice receives it, it's signed by Bob. It's the exact same message that Bob sent in the first place. And therefore Alice believes the message and now increases Darth's salary by another 10,000 baht when in fact it's just a replay of the original message. How do we stop that? Well, maybe we can use some form of time stamp, some way to check the time of when the message was sent and when it was received. So in this case, if the message was sent one month ago and Darth just re-sends that old message, maybe Alice can detect, okay, here's a message. It's from Bob, but it was really sent one month ago. It shouldn't be delayed so much. Then maybe Alice can detect that something went wrong. So replay old messages is a form of an attack. Modify messages. Bob sends a message to Alice saying decrease Darth's salary by 10,000 baht. Darth intercepts that message, modifies, decrease to increase, forwards it onto Alice, Alice receives it. Again, it's from Bob, signed by Bob, but has performed an attack in modifying the contents of the message. So we care about the integrity of the data being sent. When we send a message from Bob, the message received by Alice should be identical. It shouldn't be modified along the way. So the service we want to provide is called data integrity. An attack against that service is this modification attack and a slightly different one, the last one, denial of service. There's some web server or some server on the network that is needed for all the normal users to do their daily jobs. Maybe it's some accounting server and the finance officers need to use it every day to do their job. The malicious user somehow overloads that server by sending many packets to it. Overloads the server so the server cannot respond to the normal users, Bob in this case. Denying the normal users access to the service. So by somehow overloading the server, the normal users cannot use the server, therefore we have a denial of service attack. That's the basic principle of DOS attacks. And this is related to the service of availability. Availability says we want to keep the network, the services, available to the normal users. If they're not, then that's a bad thing. So six general types of attacks on communication networks. Go back and look at them and try and explain the difference between active and passive. The first two, release message contents and traffic analysis are passive attacks. What that means is when the attack occurs, it doesn't modify what happens if the attack didn't occur. Let's say there was no attack in this case. Remove DAF from the picture. What's normally happening is Bob sends a message to Alice. So we think the normal operation, let's say Bob creates a message, sends one message, Alice receives one message. The exact same one that Bob sent. That's the normal operation. Now we introduce the attack where in this case DAF gets a copy of the message and reads the contents. When the attack occurs from the perspective of Bob and Alice, nothing has changed. Bob still sends a message. Alice still receives that one same message. So from the normal user's perspective, the system hasn't changed, even with the attack. And that's why we say it's a passive attack. A passive attack doesn't modify the system resources. It doesn't modify the number of messages sent or received or the contents of those messages with respect to when there was no attack. The same applies with traffic analysis. If there was attack or no attack from the perspective of the normal users, nothing's different. A passive attack. Whereas in Masquerade and the following three attacks, we call them active attacks. Imagine there's no attack. Remove DAF. Bob sends no messages. Alice would receive no messages in the normal operation. But then we introduce the attack. DAF sends a message pretendingly from Bob. Alice receives one message in this case. So that's different from when there was no attack in that case. With no attack, there was nothing sent or received. With the attack, Alice receives a message. So something's changed now. We've modified how the system normally works. It's an active attack. And the following three you can check and see also are active attacks. Passive attacks make use of information, but they don't affect how the system operates. The system resources. The system being the normal users. The users, the messages, the network resources. The first two are cases. Active attacks alter, modify the system resources or operation. Because they change how the system normally operates, they're generally easy to detect. Because if we can detect some change in the operation, we detect, oh, that must be an attack. Because normally it operates differently. Whereas a passive attack doesn't change anything. So hard to detect that an attack is happening. Because nothing's changed from the normal behavior. But generally passive attacks are easy to prevent. Easier than active attacks. Easier to prevent in that, for example, we're going to apply encryption. And we immediately stop at least the releasing of message contents. Active attacks compared to passive attacks are harder to prevent them from happening. So we must detect that they happen. And once we detect, then we can either take action. Or in fact the ability to detect acts as deterrence for the attack even happening. So deterrence is an important thing as well. For example, if you're going to perform an attack where you pretend to be... You send an email to me pretending to be the SIT director. Then if I know or we know that we can easily detect such a fake email, then most likely, and you know that if you send it, that it will be easily detected, then most likely you're not going to do it. Because it deters you from performing the attack. Because you know if you're caught, you'll get in trouble in other ways. So deterrence is important. And by being able to detect, we often stop the attacks from happening. The project last semester. Remind me, what do we do? Are you sent a file? So last semester, and maybe others have done it as well, that a task with wireless LAN, we had two laptops, one sent a file to the other, and a third laptop intercepted and received the contents of that file. Which of the six attacks was it? One release message contents, traffic analysis, or either of these four. Which one is that? Assuming that file that you sent was a confidential file, intended between just the two computers. It was the first one. That third computer, let's say they were the malicious user, you ran some capturing software that monitored the packets and captured them. And eventually you received the contents, and you could see the contents of the file that's sent between the two laptops. So yeah, that was a passive attack in that if there was no attack, there's still a file sent between the two laptops. With the attack, again, the file is sent and received as is. So whether there's attack or not, the normal users, nothing changed. Okay. It was well, it depends on what you wanted to achieve, but in that case, we sent a file between two laptops and a third laptop, so let's say read the contents of that file. So we released the message contents, assuming that file was supposed to be confidential. So we'd say this one. Think of traffic analysis is, we don't look at the contents of the file. We just saw that there was a file sent from A to B. Maybe that's enough information to determine something that we couldn't determine without monitoring. So another example of traffic analysis, a simple one. An employee in a company works in a company and they have many secrets, trade secrets in that company. They're not supposed to release any trade secrets to outside people and the employer is monitoring the employee's internet traffic and they see one employee is sending many messages to some competitor company. Maybe that messages are encrypted, but maybe that's an indication that the employee is communicating with a competitor company and that may mean something bad is happening. It may need a follow-up to find out what's happening. So traffic analysis, normally the contents of the message are not so important. It's the fact that there are messages. Any problems so far on our services or attacks? Any questions before we move on? Easy so far. Okay. That's next. Actually, that reminds me. So the homework was to look at the website so make sure you look at the website. Some people have spoken to me about the course structure. A few people sent me emails. I got three or four emails from people. So some emails I got. IT security is fun. Your course last semester was hard, but it made me study hard. Can you make IT security harder? Okay. So that was a theme I got from several emails from students and people spoke to me. So let's make it harder. And one of our exchange students, I don't think he's here today, sent me an email from France and he studied similar things before. So he wants it harder as well. Okay. And all right, we plan to have quizzes, maybe two or three through the semester, but I think some people want more quizzes, one every week. So we can have a quizzing class every week and a Moodle quiz every week. Okay. So thanks for the feedback. Okay. What? Is this your email address? That's your email. Can we see? Yeah. Your email address, I think. Yeah. Correct. I received the email. Hmm? Okay. Any problems with making the course harder, having the quizzes every week? Email is very easy to fake. Okay. So all right, this is just an example of what I did was on another computer. I sent an email to myself, onto this, my SIT account. But it's very easy with email to change the from address. Okay. So every email has a from field, who it's from. And when my email client received the message and it sees the from field in that email, and that's what's shown here. But in fact, it was from someone else. If we look at the details of that email, the plain text. So this is the message. These are all the headers in the email. It's hard to see. But we can actually trace back. So the from field is here. But there is some other information saying, okay, well, if I follow, where did it originally come from? Some server, sandylands.info. Okay. So it didn't come from the hotmail server. It came from one of my other servers. It was a fake email, or it was an email that I sent to myself. But I just changed the from address. So you cannot trust emails that you receive. It's very easy. If you just use the from address to masquerade to pretend to be someone else. Therefore, we need some other mechanisms if we want to be able to be sure where the email came from to be able to verify that the center of this email is who they say they are. And that's what the next topic will cover. I will show you some demonstration. So this is a very simple one. Anyone can change the from address with a little bit of software for an email. I hope it's obvious, but the things that we're going to cover in this course, IT security, we're going to look at security mechanisms and attacks. And we'll look at very basic things. We will not look at advanced attacks, but the very basic principles. And you'll see that you could apply these principles and perform real attacks in the real world. And do bad things, and maybe even good things. Now, don't do bad things. That's the ethical part of this course is saying even though you may know how to do something, it doesn't give you permission to do that. So you still need to make a good judgment as to what you should and should not do, what's good and what's bad. For example, you'll see that it's very easy to intercept wireless LAN traffic, intercept and read the contents of messages sent by other people when they're using Wi-Fi, especially on SIT's network. Very easy to do, and you did it in your assignment last semester. It doesn't mean you're allowed to do it. It doesn't mean it's legal because it's easy to do, and it doesn't mean you should do it. So don't do it. The virtual networking software that will get you to set up and use will allow you to do attacks in a virtual network. For example, after the midterm, we'll get to some practical exercises where on your computer, you set up a virtual network of three or four computers running all on your computer using VirtualBox. And inside that virtual network, you can do attacks, intercept messages, and do malicious things. Of course, it's all inside your computer. So we get a chance to do real attacks, but don't do it in the real world. Do it in a virtual world. So we normally need to provide some services to prevent and detect the attacks, and to provide those services, we use a range of different mechanisms. There's no one mechanism that we can use to solve all attacks. So there are different techniques to prevent, detect, recover from attacks. And the most common techniques use crypt...or a part of cryptography. We use cryptographic techniques. The next topic explains what we mean by cryptography. But things like encryption. Encryption is a main part. And we'll see related... So encryption also here called encipherment. To encipher, to encrypt something. We'll see other things like digital signatures, firewalls, authentication protocols. Notarisation is providing some proof that something's happened to notarise something. So we'll see some different mechanisms through the subsequent topics. That just relates some mechanisms to some of the services here and in the columns, different mechanisms. For example, to provide confidentiality data, we use encipherment or encryption. But I think we'll not go through this. We'll see as we go through the different mechanisms and you'll see what services that can provide. That almost finishes this topic. The last few slides. Okay, one more thing. Some different terminology. So for computer security in general, we can talk about what's our strategy. Think of an organisation. They want to secure their computer system. Well, they need some policy. What is the security scheme supposed to do? What's our aim for securing our network, securing our computers? So that's a policy. So maybe some written rules or just some guidelines, okay? No faculty member can access the grades of a student that they do not teach. That may be a rule as part of a policy. And of course, we need to deal with practice and not everything is possible. So we need to consider, okay, the assets that we're trying to protect. How important are they? What are the potential? What are the vulnerabilities? What are the problems and flaws in those assets? What are the bugs in the software? What are the holes that can lead to attacks? And what are the possible threats? And what's the chance of attacks happening? Okay, so by considering all these, we can start to guide what mechanisms we'll use to implement this policy. So some attack, in theory, may be possible, but the chance of it happening may be very, very, very low. And therefore, we may put that as low priority, try and solve that attack. So we need to make trade-offs. We'll see that some security mechanisms make it harder for the users to use the system. So do we make it hard for the user and make it secure, or do we make it easy for the user but less secure? If the user will not use it, then we've been unsuccessful. Security mechanisms cost money to implement, to buy the software, for the personnel to implement and apply the mechanisms cost money. But so do failures, so do attacks. And recovering from attacks, they cost money as well. So you need to trade-off which ones are the cheaper option, not easy to do. So you have some policy, which is what you want to achieve. Then you implement. You use mechanisms to implement that policy. And that's what we'll look at in the next topic. Some mechanisms to prevent, detect, respond and recover. And then you implement those mechanisms. And you don't just leave your computer system running forever, you need to check that those mechanisms are working. So some assurance. Does it really work as you expected? What measure of confidence do we have that they're working? Evaluate that the system is working. And there are many fields or standards and procedures of doing the evaluations, computer security assurance, computer security policies. There are many details of that, which we will not get to cover in this course. But that's another field of computer security. This one I'm not going to mention now. Maybe next week I'll point you to a document, a short document that describes these. We will not go through them right now. At the end of each of these slides, I'll provide a few summary slides. I may not go through them in the lecture. It's more for you to pick up some main points. But okay, what have we gone through? There are multiple objectives of computer security. The three main ones, confidentiality, integrity, availability, CIA. We want to protect assets. We've looked at different types of attacks. There are different services that we want to provide. And to prevent the attacks, to provide services, we have countermeasures or security mechanisms. And that's what we... They often use cryptographic techniques, and the next topic is on cryptography. What are those mechanisms? And again, at the end, I'll give some areas to explore. And this is if you want to go read about these topics. I will not cover them in the course. This lists all these acronyms, really refer to organizations, companies, organizations, which are related to computer security. So if you're interested, go search, find out what all these acronyms mean, and you'll see what these organizations do. Some organizations that create standards for security, that monitor attacks and threats. So keep databases of potential attacks and organizations that give you some certificate to say that you're good at security, for example. So you get a better job. Let's move on to cryptography.