Computer and Network

security-Module 1
By Dr Nagaraj R Aiholli
 Need for Security-Basic
Concepts
Initial computer applications had no, or very little security as the importance
of data was not realized then.
When computer applications were developed to handle financial and
personal data, the need for security arose.
With this realization, security began to gain prominence and security
mechanisms began to evolve.
Examples of security mechanisms:
• Provide a user id and password to every user, and use that information to
authenticate a user
• Encode information stored in the databases, so that it is not visible to users
who do not have the right permissions.
 Need for Security-Basic
Concepts
Organizations employed their own security mechanisms to provide
basic security.
As technology improved, newer applications began to be developed
and the basic security measures were not sufficient.
Further with the evolution of the biggest computer network, Internet,
the need for right security policy, technology implementations
became very important.
Example of information traveling from Client to server over the
internet.
Information travelling from a client to a
server over the internet
 Information travelling from a client
to a server over the internet
• From the user’s computer, the user details such as user id, order details such
as order id and item id and payment details such as credit card information
travel across the Internet to the merchant’s server.
• The merchant’s server stores these details in its database.
• The various security holes in this are:
• An intruder can capture the credit card details as they travel from the client
to the server.
• Once the merchant receives the credit card details and validates them so as
to process the order and later obtain payments, the merchant stores the
credit card details into its database. An attacker can succeed in accessing this
database and gain access to all the credit card numbers stored there.
 Modern Nature of attacks
 The salient features of the modern nature of attacks are:
 Automating attacks: Humans dislike repetitive and difficult tasks.
 Automating them can cause destruction more rapidly.
 Rather than producing fake currency on a mas scale, modern thieves will excel in stealing a very low
amount from million bank accounts in a matter of a few minutes.
 Privacy concerns: Collecting information about people and later misusing it is turning out to be a huge
problem.
 The data mining applications gather, process and tabulate all sorts of details about individuals.
 People can illegally sell this information.
 Security Approaches
 Trusted systems
 Distance does not matter: Thieves would earlier attack banks, as banks had money. These days money is
in digital form and moves around using computer network. It is easier for modern thief to attempt an
attack on the computer system of the bank, sitting at home
 Security Approaches-Trusted
systems
A trusted system is a computer system that can be trusted to a specified
extent to enforce a specified security policy.
Trusted system uses the term reference monitor, an entity at the logical heart
of the computer system which is responsible for all decisions across controls.
The reference monitor should be tamperproof, always be invoked and small
enough so that it can be independently tested.
The mathematical foundation for trusted systems was provided by two
independent, yet interrelated works. In 1974, a technique called as Bell-
LaPadula model was devised which was a highly trustworthy computer
system designed as a collection of objects (files, disks and printers) and
subjects (users, processes or threads)
 Security Models
 An organization can take several approaches to implement its security model.
 The various approaches are:
 a) No security: This is the simplest model with no security at all.
 b) Security through obscurity: In this model, a system is secure simply because nobody knows
about its existence and contents.
 This approach cannot work for too long, as there are many ways an attacker can come to know
about it.
 c) Host security: In this scheme, the security for each host is enforced individually. This is a
safe approach, but the complexity and diversity of modern sites/organizations makes the task
harder and difficult to scale.
 d) Network security: Host security is tough to achieve as organization grows and becomes
more diverse. In this technique, the focus is to control network access to various hosts and
their services, rather than individual host security. This is a very efficient and scalable model.
 Security Management Practices
Good security management practices always have a good security
policy which takes care of 4 key aspects.
1) Affordability: How much money and efforts does this security
implementation cost?
2) Functionality: What is the mechanism of providing security?
3) Cultural issues: Does the policy gel well with people’s expectations,
working style and beliefs?
4) Legality: Does the policy meet the legal requirements?
 Security Management Practices
Once a security policy is in place, the following points should be
ensured.
Explanation of the policy to all concerned.
Outline everybody’s responsibilities.
Use simple language in all communications.
Accountability should be established.
Provide for exceptions and periodic reviews.
 Principles of Security
The four chief principles of security are:
1) Confidentiality
2) Authentication
3) Integrity
4) Non repudiation(non rejection of proposal or idea)
Two more principles that are linked to the overall system are:
5) Access control 6) Availability
 1) Confidentiality
The principle of confidentiality specifies that only the sender and the
intended recipient(s) should be able to access the contents of a
message.
Confidentiality gets compromised if an unauthorized person is able to
access a message. Example of compromising the confidentiality of a
message is shown in Fig below:
Loss of confidentiality
 1) Confidentiality
Here the user of computer A sends a message to the user of
computer B. Another user C gets access to this message, which is not
desired, and therefore, defeats the purpose of confidentiality.
Example:- A confidential email message sent by A to B, which is
accessed by C without the permission or knowledge of A and B. This
type of attack is called as interception. “Interception causes loss of
message confidentiality”
 2) Authentication:
Authentication establishes proof of identities.
The authentication process ensures that the origin of an electronic
message or document is correctly identified.
For instance, suppose that user C sends an electronic document over
the Internet to user B, posing as user A.
How would user B know that the message has come from user C, who
is posing as user A.
Absence of authentication
 2) Authentication:
Example: User C posing as user A, sends a funds transfer request
(from A’s account to C’s account) to bank B. The bank will transfer the
funds from A’s account to C’s account, thinking that user A has
requested for the funds transfer. This type of attack is called as
fabrication.
“Fabrication is possible in the absence of proper authentication
mechanisms”
 3) Integrity:
 Example: User C posing as user A, sends a funds transfer request (from A’s account to C’s
account) to bank B.
 The bank will transfer the funds from A’s account to C’s account, thinking that user A has
requested for the funds transfer. This type of attack is called as fabrication.
 “Fabrication is possible in the absence of proper authentication mechanisms”
 When the contents of a message are changed after the sender sends it, but before it reaches the
intended recipient, the integrity of the message is lost.
 Example: Suppose you write a cheque for $100 to pay for the goods bought from the store, but in
the account statement it is observed that the cheque resulted in a payment of $1000! This is the
case of loss of message integrity.
 Fig below demonstrates loss of integrity.
 User C tampers (modifies) a message originally sent by user A, which is actually destined for user
B.
 User C somehow manages to access the message, change its contents and send the changed
message to user B. Neither A nor B knows that the contents of the message were changed after
user A had sent it. This type of attack is called as modification.
 “Modification causes loss of message integrity”
Loss of integrity
 Non repudiation:
There are situations where a user sends a message and later refuses
that the message was sent.
This is repudiation (refuse to accept).
Example: User A could send a fund transfer request to bank B over the
internet. After the bank performs the funds transfer as per A’s request,
A could claim that he never sent the fund transfer request to the bank.
Thus, A repudiates, or denies the fund transfer instruction.
The principle of non-repudiation defeats such possibilities of denying
something, having done it. “Non repudiation does not allow the sender
of a message to refuse the claim of not sending that message”.
 5) Access control:
The principle of access control determines who should be able to access
what.
For instance, we should be able to specify that user A can view the records
in a database, but cannot update them. However, another user B might be
allowed to make updates as well. An access control mechanism can be set
up to ensure this.
Access control is broadly related to two areas: role management and rule
management.
Role management concentrates on the user side (which user can do what)
Rule management focuses on the resources side (which resource is
accessible, and under what circumstances).
 Access control:
Based on the decisions taken here, an access control matrix is
prepared, which lists the users against a list of items they can access
(it can say that user A can write to file X, but can only update files Y
and Z).
An access control list (ACL) is a subset of an access control matrix.
“Access control specifies and controls who can access what.”
 6) Availability:
The principle of availability states that resources (information) should
be available to authorized parties at all times.
Example: Due to the intentional actions of another unauthorized user
C, an authorized user A may not be able to contact a server computer
B as shown in fig below
This would defeat the principle of availability. Such an attack is called
as interruption.
“Interruption puts the availability of resources in danger”
Attack on availability
 7) Ethical and Legal issues:
The ethical issues in security systems are classified into four
categories:
Privacy – deals with the right of an individual to control personal
information
Accuracy – deals about the responsibility for the authenticity,
fidelity(faithfulness) and accuracy
Property – talks about the owner of the information and about who
controls access.
Accessibility – deals with the issue of type of information an
organization has the right to collect.
 7) Ethical and Legal issues:
While dealing with legal issues, there is a hierarchy of regulatory bodies
that govern the legality of information security which can be classified as
follows:
International -e.g International Cybercrime Treaty
Federal – e.g. FERPA(The Family Educational Rights and Privacy Act (FERPA)
is a federal law that affords parents the right to have access to their
children’s education records), Patriot Act(against attacks)
State – e.g. UCITA(Uniform Computer Information Transactions
Act (UCITA) was an attempt to introduce a Uniform Act for the United
States to follow)
Organization – e.g. Computer use policy
 Types of attacks
Attacks can be classified into two views :
A common man’s view and technological view.
Attacks: A general view Attacks can be classified into three categories:
Types of attacks
Criminal attacks
Criminal attacks
 Publicity Attacks
Occurs because the attackers want to see their names appear on
television news channels and newspapers for publicity. These types of
attackers are usually not hardcore criminals.
They are people such as students in universities or employees in large
organizations, who seek publicity by adopting a novel approach of
attacking computer systems.
 Legal attacks
This form of attack is quite novel and unique.
The attacker tries to make the judge or jury doubtful about the
security of a computer system.
Attacks: A Technical view
The attacker attacks the computer system and the attacked party
(Bank or organization) manages to take the attacker to the court.
The attacker tries to convince the judge that there is inherent
weakness in the computer security system and exploits the weakness
of the judge.
 Attacks: A Technical view
The types of attacks on computers and network systems can be
classified into two categories:
(a) Theoretical concepts behind these attacks
(b) Practical approaches used by the attackers.
 a) Theoretical Concepts
The principles of security face threat from various attacks. These
attacks are classified into four categories, as mentioned namely:
Interception - This attack results from violating confidentiality.
 It means that an unauthorized party has gained access to a resource.
The party can be a person, program or computer-based system.
Example: Copying of data or programs and listening to network
traffic.
 Fabrication
This attack results from violating authentication.
This involves creation of illegal objects on a computer system.
Example: The attacker may add fake records to a database.
 Modification and Interruption
• Modification –
• This attack results from violating Integrity. The attacker may modify
the values in a database.
• Interruption-
• This attack results from violating availability.
• The resource becomes unavailable, lost or unusable.
• Example: Causing problems to a hardware device, erasing program,
data or operating system components.
 Types of attacks
• These attacks are further grouped into two types:
• ➢ Passive attacks ➢ Active attacks
Types of attacks
 Passive attacks

• Passive attacks
• Passive attacks are those, wherein the attacker indulges in
eavesdropping or monitoring of data transmission.
• The attacker aims to obtain information that is in transit.
• The term passive indicates that the attacker does not attempt to
perform any modifications to the data.
• Passive attacks are harder to detect.
• The general approach to deal with passive attacks is to think about
prevention, rather than detection or corrective actions.
 Passive attacks
• Passive attacks do not involve any modifications to the contents of an
original message.
• Passive attacks can be further classified into two sub-categories.
These categories are:
• Release of message contents
• Traffic analysis
 Release of message contents:
• When a confidential email message is sent, it is desired that only the recipient is
able to access it.
• Otherwise, the contents of the message are released against our wishes to
someone else.
• Using certain security mechanisms, we can prevent release of message contents.
• For example, we can encode messages using a code language, so that only the
desired parties understand the contents of a message, because only they know
the code language.
• However, if many such messages are passing through, a passive attacker could try
to figure out similarities between them to come up with some sort of pattern
that provides the attacker some clues regarding the communication that is taking
place.
 Release of message contents:
• Such attempts of analysing (encoded) messages to come up with
likely patterns are the work of the traffic analysis attack.
 Active attacks
• The active attacks are based on modification of the original message
in some manner or the creation of a false message.
• These attacks cannot be prevented easily.
• They can be detected with some effort and attempts can be made to
recover from them.
• These attacks can be in the form of interruption, modification and
fabrication.
 Active attacks
• In active attacks, the contents of the original message are modified in
some way.
• Trying to pose as another entity involves masquerade (interruption)
attacks.
• Modification attacks can be classified further into replay attacks and
alteration of messages.
• Fabrication causes Denial Of Service (DOS) attacks.
Active attacks
 Active attacks
• Masquerade is caused when an unauthorized entity pretends to be
another entity.
• Example: User C might pose as user A and send a message to user B.
User B might be led to believe that the message indeed came from
user A.
• In masquerade attacks, an entity poses as another entity.
• Example, the attack may involve capturing the user's authentication
sequence (e.g. user ID and password).
• Later those details can be used to gain illegal access to the computer
system.
 Active attacks
• Replay attack is caused when a user captures a sequence of events or some data units
and re-sends them.
• For instance, suppose user A wants to transfer some amount to user C's bank account.
• Both users A and C have accounts with bank B.
• User A might send an electronic message to bank B, requesting for the funds transfer.
• User C could capture this message and send a second copy of the same to bank B.
• Bank B would have no idea that this is an unauthorized message and would treat this
as a second and different funds transfer request from user A.
• Alteration of messages involves some change to the original message.
• Therefore, user C would get the benefit of the funds transfer twice: once authorized,
once through a replay attack
 Active attacks
• For instance, suppose user A sends an electronic message-Transfer $100 to
D's account to bank B. User C might capture this and change it to Transfer
$1000 to C's account.
• Both the beneficiary and the amount have been changed - instead, only
one of these could also caused alteration of the message.
• Denial Of Service (DOS) attacks make an attempt to prevent legitimate
users from accessing some services, which they are eligible for.
• For instance, an unauthorized user might send too many login requests to a
server using random user ids one after the other in quick succession, so as
to flood the network and deny other legitimate users from using the
network facilities.
 The Practical Side of Attacks
• The security attacks can happen at the application level or the
network level and can be classified into broad categories: Application-
level attacks and Network-level attacks
• Application-level attacks: These attacks happen at an application level,
i.e. the attacker the attempts to access, modify or prevent access to
information of a particular application or the application itself.
• Example: Trying to obtain someone’s credit card information on the
Internet or changing the contents of a message to change the amount
in a transaction, etc.
 The Practical Side of Attacks
• Network-level attacks: These attacks generally aim at reducing the
capabilities of a network by a number of possible means.
• These attacks generally make an attempt to either slow down or
completely bring to halt, a computer network.
• This can lead to application-level attacks, because once someone is
able to gain access to a network, they can access/modify at least
some sensitive information, causing havoc.
 PROGRAMS that ATTACK
• Virus
• Worm
• Trojan Horse
• Cookies Programs that attack computer systems to cause some
damage or to create confusion
• Applets(small application in a large program) & ActiveX
Controls(controlling content downloaded from internet)
• JavaScript(Oracle company) VBScript & Jscript(Microsoft company)-
Programming languages
1) Virus
 1) Virus
• Virus can be used to launch an application-level attack or a network
level attack virus.
• A virus is a computer program that attaches itself to the legitimate
program code and runs when the legitimate program runs causing
damage to the computer system or to the network.
• It can infect other programs in that computer or programs that are in
other computers but on the same network as shown in figure.
 1) Virus
• In this example, after deleting all the files from the current user's
computer, the virus self-propagates by sending its code to all users
whose email addresses are stored in the current user's address book.
• Viruses can also be triggered by specific events (e.g. a virus could
automatically execute at 12 PM every day).
• Usually, viruses cause damage to computer and network systems to
the extent that it cannot be repaired, assuming that the organization
deploys good backup and recovery procedures.
 1) Virus
• During its lifetime, a virus goes through four phases:
• (a) Dormant phase: Here, the virus is idle. It gets activated based on certain
action or event (e.g. the user typing a certain key or certain date or time is
reached, etc). This is an optional phase.
• (b) Propagation phase: In this phase, a virus copies itself and each copy
starts creating more copies of self, thus propagating the virus.
• (c) Triggering phase: A dormant virus moves into this phase when the
action/event for which it was waiting is initiated.
• (d) Execution phase: This is the actual work of the virus, which could be
harmless (display some message on the screen) or destructive (delete a file
on the disk).
 1) Virus
• Viruses can be classified into the following categories:
• (a) Parasitic virus: This is the most common form of viruses. Such a virus attaches
itself to executable files and keeps replicating. Whenever the infected file is executed,
the virus looks for other executable files to attach itself and spread.
• (b) Memory-resident virus: This type of virus first attaches itself to an area of the
main memory and then infects every executable program that is executed.
• (c) Boot sector virus: This type of virus infects the master boot record of the disk and
spreads on the disk when the operating system starts booting the computer.
• (d) Stealth virus: This virus has intelligence built in, which prevents anti-virus
software programs from detecting it.
• (e) Polymorphic virus: A virus that keeps changing its signature (i.e. identity) on every
execution, making it very difficult to detect.
 1) Virus
• (f) Metamorphic virus: In addition to changing its signature like a
polymorphic virus, this type of virus keeps rewriting itself every time,
making its detection even harder.
• (g) Macro virus. This virus affects specific application software, such as
Microsoft Word or Microsoft Excel. These viruses affect the documents
created by users and spread easily since such documents are very
commonly exchanged over email.
• There is a feature called as macro these application software programs
work, which allows the users to write small useful utility programs
within the documents. Viruses attack these macros and hence the name
macro virus.
 2) Worm:
• A worm is similar to a virus, but different in implementation. A virus modifies a
program (i.e. it attaches itself to the program under attack) whereas a worm does
not modify a program.
• Instead, it replicates itself again and again.
• The replication grows so much that the computer or the network on which the
worm resides, becomes very slow, finally coming to a halt.
• The basic purpose of a worm attack is different from that of a virus. A worm attack
attempts to make the computer or the network under attack unusable by eating all
its resources.
• This is illustrated in figure 1.7
• A worm does not perform down any destructive actions and instead, only consumes
system resources to bring it down
Worm
 3) Trojan Horse
• A Trojan horse is a hidden piece of code.
• The main purpose of a virus is to make some sort of modifications to the target
computer or network whereas a trojan horse attempts to reveal confidential information
to an attacker.
• The name (Trojan horse) is due to the Greek soldiers, who hid inside a large hollow
horse, which was pulled by troy citizens, unaware of its contents.
• Once the Greek soldiers entered the city of Troy, they opened the gates for the rest of
Greek soldiers.
• In the same way, a Trojan horse could silently sit in the code for a Login screen by
attaching itself to it.
• When the user enters the user id and password, the Trojan horse could capture these
details and send this information to the attacker without the knowledge of the user who
had entered the id and password.
 3) Trojan Horse
• A Trojan horse allows an attacker to obtain some confidential information about
a computer or a network.
• The attacker can then use the user id and password to gain access to the system.
• This is shown in figure - Trojan Horse
• 4) Applets and ActiveX Controls: • Applets and ActiveX controls were born due
to the technological development of the World Wide Web (www) application of
the Internet.
• The Web consists of communication between client and server computers using
a communications protocol called as Hyper Text Transfer Protocol (HTTP).
• The client uses a piece of software called as Web browser. The server runs a
program called as Web server.
Trojan horse
 Applets and Active X controls
• In its simplest form, a browser sends a HTTP request for a Web page to
a Web server. The Web server locates this Web page (actually a
computer file) and sends it back to the Web browser, again using HTTP.
• The Web browser interprets the contents of that file and shows the
results on the screen to the user. This is shown in Fig.
• Here, the client sends a request for a Web page called as
www.yahoo.com/info, which the server sends back to the client.
• Many Web pages contain small programs that get downloaded onto
the client along with the Web page itself. These programs then execute
inside the browser.
Applets and Active X controls
 Applets and Active X controls
• Sun Microsystems provides Java applets for this purpose and Microsoft's technology makes
use of ActiveX controls for the same purpose.
• Both are small programs that get downloaded along with a Web page and then execute on
the client.
• This is shown in Fig.
• In Figure - Applet sent back along with a Web page.
• Here, the server sends an applet along with the Web page to the client.
• Usually, these programs (applets or ActiveX controls) are used to either perform some
processing on the client side or to automatically and periodically request for information
from the web server using a technology called as client pull.
• For instance, a program can get downloaded on to the client along with the Web page
showing the latest stock prices on a stock exchange and then periodically issue HTTP
requests for pulling the updated prices to the Web server.
Applets and Active X controls
 Applets and Active X controls
• To prevent these attacks, Java applets have strong security checks as
to what they can do and what they cannot.
• ActiveX controls have no such restrictions.
• A number of checks have been in place to ensure that neither applets
nor ActiveX controls can do a lot of damage and even if they
somehow manage to do it, it can be detected.
• Java applets (from Sun Microsystems) and ActiveX controls (from
Microsoft Corporation) are small client-side programs that might
cause security problems, if used by attackers with a malicious
intention.
 5) Cookies:
• Cookies were born as a result of a specific characteristic of the Internet.
• The Internet uses HTTP protocol, which is stateless.
• Suppose that the client sends an HTTP request for a Web page to the server.
• The Web server locates that page on its disk, sends it back to the client and completely
forgets about this interaction
• If the client wants to continue this interaction, it must identify itself to the server in
the next HTTP request.
• Otherwise, the server would not know that this same client had sent a HTTP request
earlier.
• Since a typical application is likely to involve a number of interactions between the
client and the server, there must be some mechanism for the client to identify itself to
the server each time it sends an HTTP request to the server.
 5) Cookies:
• For this, cookies are used. Cookies are the most popular mechanism of
maintaining the state information (i.e. identifying a client to a server).
• A cookie is just one or more pieces of information stored as text strings in
a text file on the disk of the client computer (i.e. the Web browser).
• Actually, a Web server sends the Web browser a cookie and the browser
stores it on the hard disk of the client computer.
• The browser then sends a copy of the cookie to the server during the next
HTTP request.
• This is used for identification purposes as shown in Figs (a) and (b).
5) Cookies:
5) Cookies:
 5) Cookies:
• This works as follows: (a) When you interact with a Web site for the first time, the site
might want you to register yourself.
• Usually, this means that the Web server sends a page to you wherein you have a form to
enter your name, address and other details such as date of birth, interests etc.
• (b) When you complete this form and send it to the server with the help of your browser,
the server stores this information into its database.
• Additionally, it also creates a unique id for you. It stores this id along with your
information in the database (as shown in Fig. (b)) and also sends the id back to you in the
form of a cookie.
• (c) The next time you interact with the server, you do not have to enter any information
such as your name and address.
• Your browser would automatically send your id (i.e. the cookie) along with the HTTP
request for a particular page to the server (as shown in Fig. b)).
 5) Cookies:
• (d) The server now takes this id, tries to find a match in its database
and having found it, knows that you are a registered user.
• Accordingly, it sends you the next page.
 6) JavaScript, VBScript and JScript
• A Web page is constructed using a special language called as Hyper Text Markup Language
(HTML).
• It is a tag-based language. A tag begins with the symbol <> and it ends with .
• Between these boundaries of the tags, the actual information to be displayed on the user's
computer is mentioned.
• As an example, let us consider how the tag pair and can be used to change the text font to
boldface.
• When a browser comes across this portion of a HTML document, it realizes that the portion
of the text embedded within the and tags need to be displayed in boldface.
• Therefore, it displays this text in boldface.
• In addition to HTML tags, a Web page can contain client-side scripts.
• These are small programs written in scripting languages like JavaScript, VBScript or Jscript,
which are executed inside the Web browser on the client computer.
 6) JavaScript, VBScript and JScript
• For instance, let us assume that a user visits the Web site of an online bookshop.
• Suppose that the Web site mandates that the user must place an order for at least three books.
• Then, the web page can contain a small JavaScript program, which can ensure that this condition
is met before the user can place the order.
• Otherwise, the JavaScript program would not allow the user to proceed.
• Note that HTML cannot be used for this purpose, as its sole purpose is to display text on the
client computer in a pre-specified format.
• To perform dynamic actions, scripts are needed.
• These scripts can be dangerous at times. Since these scripts are small programs, they can
perform a lot of actions on the client’s computer.
• There are restrictions on the actions of a scripting program.
• Incidents of security breaches have been reported, blaming the scripting languages.
 1.4.5 Dealing with viruses
• The detection, identification and removal of viruses’ steps is shown in figure.
• Detection of viruses involves locating the virus, having known that a virus has attacked.
• Then we need to identify the specific virus that has attacked.
• Finally, we need to remove it.
• For this we need to remove all traces of the virus and restore the affected programs/files to their
original states.
• This is done by anti-virus software.
• Anti-virus software is classified into four generations as shown in figure 1st Generation, 2nd Generation,
3rd Generation Generation, 4th Generation.
• The key characteristics of the four generations of anti-virus software.
• 1st generation:
• These anti-virus software programs were called as simple scanners. They needed a virus signature to
identify a virus. A variation of such programs kept a watch on the length of programs and looked for
changes so as to possibly identify a virus attack.
 1.4.5 Dealing with viruses
• 2nd generation
• These anti-virus software programs did not rely on simple virus signatures.
• Rather, they used heuristic rules to look for possible virus attacks.
• The idea was to look for code blocks that were commonly associated with viruses.
• Another variation of these anti-virus programs used to store some identification
about the file (e.g. a message digest) to detect changes in the contents of the file.
• 3rd generation:
• These anti-virus software programs were memory resident. They watched for
viruses based on actions, rather than their structure. Thus, it is not necessary to
maintain a large database of virus signatures. Instead, the focus is to keep watch
on a small number of suspect actions.
1.4.5 Dealing with viruses
1.4.5 Dealing with viruses
 1.4.5 Dealing with viruses
• 4th generation:
• These anti-virus software programs package many anti-virus
techniques together ( e.g. scanners, activity monitoring).
• They also contain access control features, thus attempts of viruses to
infect files.
• There is a category of software called as behavior-blocking software,
which integrates with the operating system of the computer and
keeps a watch on virus-like behavior in real time.
 1.4.5 Dealing with viruses
• Whenever such an action is detected, this software blocks it, preventing damages.
• The actions under watch can be: • Opening , viewing , modifying , deleting files
• Network communications
• Modification of settings such as start-up scripts
• Attempt to format disks
• Modification of executable files
• Scripting of email and instant messaging to send executable content to others
• The main advantage of such software programs is that they are more into virus
prevention than virus detection.
• In other words, they stop viruses before they can do any damage, rather than
detecting them after an attack.
 1.4.6 JAVA Security
• Java was designed in such a way that Java programs are considered safe as they
cannot install, execute or propagate viruses and because the program itself cannot
perform any action that is harmful to the user's computer.
• One of the key attributes of Java is the ability to download Java programs over a
network and execute these programs on a different computer within the context of a
Java-enabled browser.
• Different developers were attracted to Java with different expectations.
• As a result, they brought different ideas about Java security.
• If we put Java to be free from introducing viruses, any release of Java should satisfy
our requirements.
• However, if functionalities such as digital signatures, authentication and encryption
are required in the least release 1.1 of Java must be used.
 The Java Sandbox
• Java’s security model is closely associated with the idea of a sandbox
model.
• A sandbox(In a Java programming language, the sandbox is the program
area and it has some set of rules that programmers need to follow when
creating Java code-like an applet) model allows a program to be hosted and
executed, but there are some restrictions in place.
• The developer/end user may decide to give the program access to certain
resources.
• However, in general, they want to make sure that the program is confined
to its sandbox.
• The overall execution of a java program on the Internet is as shown in Fig.
The Java Sandbox
 The Java Sandbox
• The chief job of the Java sandbox is to protect a number of resources and it
performs this task so at a number of levels.
✓ A sandbox in which program can access the CPU, the screen, the keyboard and
mouse and its own memory. This is the basic sandbox. It contains just enough
resources for a program to execute.
✓ A sandbox in which a program can access the CPU and its memory as well as
access the Web server from which it was downloaded. This is often considered as
the default state for the sandbox.
✓ A sandbox in which program can access the CPU, its memory, its Web server and
to a set of resources (files, computers, etc.) that are local.
✓ An open sandbox, in which the program can access whatever resources the host
machine can.
 Java Application Security
• The broad level aspects of Java security and their relation to each other.
• The bytecode verifier: The bytecode verifier ensures that Java class files obey the
rules of the Java programming language.
• The bytecode verifier ensures memory protection for all Java programs.
• However, not all files are required to go through byte code verification.
• The class loader: Class loaders load classes that are located in Java's default path
(called as CLASSPATH).
• In Java 1.2, the class loaders also take up the job of loading classes that are not
found in the CLASSPATH.
• The access controller: In Java 1.2, the access controller allows (or prevents) access
from the core JAVA API to the operating system.
 Java Application Security
• The security manager: The security manager is the chief interface between
the core Java API and the operating system.
• It has the ultimate responsibility for allowing or disallowing access to all the
operating system resources.
• The security manager uses the access controller for many of these
decisions.
• The security package: The security package (that is, classes in the
java.security package) helps in authenticating signed Java classes.
• The key database: The key database is a set of keys used by the security
manager and access Controller to validate the digital signature that comes
along with a signed class file.
 Built-in Java Application Security
• From version 1.2, the Java platform itself comes with a Security model built for the
applications it runs.
• Here, the classes that are found in the CLASSPATH may have to go through a security check.
• This allows running of the application code in a sandbox defined by a user or an
administrator.
• The following points are important:
✓ Access methods are strictly adhered to
✓ A program cannot access arbitrary memory location
✓ Entities that are declared as final must not be changed
✓ Variables may not be used before they are initialized
✓ Array bounds must be checked during all array accesses
✓ Objects cannot arbitrarily cast into other object type
 1.4.7 Specific Attacks
• 1) Sniffing and Spoofing : On the Internet, computers exchange
messages with each other in the form of small blocks of data, called as
packets. A packet, like a postal envelope that contains the actual data to
be sent and the addressing information.
• Attackers target these packets, as they travel from the source computer
to the destination computer over the Internet. These attacks take two
main forms: (a) Packet sniffing (also called as snooping) and (b) Packet
spoofing.
• Since the protocol used in this communication is called as Internet
Protocol (IP), other names for these two attacks are: (a) IP sniffing and
(b) IP spoofing.
 a) Packet sniffing:
• Packet sniffing is a passive attack on an ongoing conversation.
• An attacker need not hijack a conversation, but instead, can just observe (i.e. snif) packets as they
pass by.
• To prevent an attacker from sniffing packets, the information that is passing needs to be protected in
some ways.
• This can be done at two levels: (i) The data that is traveling can be encoded in some way or (ii) The
transmission link itself can be encoded.
• To read a packet, the attacker needs to access it.
• The simplest way to do this is to control a computer through which the traffic goes.
• Usually, this is a router(A router is a device that connects two or more packet-switched networks.
Routers forward packets and allow multiple devices to use the same Internet connection). However,
routers are highly protected resources.
• Therefore, an attacker might not be able to attack it and instead, attack a less protected computer
on the same path
 b) Packet spoofing:
• In this technique, an attacker sends packets with a false source address. When this
happens, the receiver (i.e. the party who receives these packets containing false address)
would inadvertently send replies back to this forged address (called as spoofed address).
This can lead to three possible cases:
• i) The attacker can intercept the reply - If the attacker is between the destination and the
forged source, the attacker can see the reply and use that information for hijacking attacks.
• ii) The attacker need not see the reply - If the attacker's intention was a Denial Of Service
(DOS) attack, the attacker need not bother about the reply.
• iii) The attacker does not want the reply- The attacker could simply be angry with the host,
so it may put that host's address as the forged source address and send the packet to the
destination.
• The attacker does not want a reply from the destination, as it wants the host with the
forged address to receive it and get confused.
 2) Phishing :
• In Phishing , attackers set up fake Web sites, which look like real Web sites.
• It is simple to create Web pages as it involves simple technologies such as HTML, JavaScript,
CSS (Cascading Style Sheets)-presentation of HTML, etc.
• Learning and using these technologies is quite simple.
• Phishing works as follows.
• The attacker decides to create his own Web site, which looks very identical to a real Web site.
• For example, the attacker can clone Citibank's Web site.
• The cloning is so clever that human eye will not be able to distinguish between the real
(Citibank's) and fake (attacker's) sites now.
• The attacker sends an email to the legitimate customers of the bank. The email itself appears
to come from the bank. For ensuring this, the attacker exploits the email system to suggest
that the sender of the email is some bank official (e.g. accountmanager@citibank.comn).
 2) Phishing :
• This fake email warns the user that there has been some sort of attack on the Citibank's
computer systems and that the bank wants to issue new passwords to all its customers or verify
their existing PINs, etc.
• For this purpose, the customer is asked to visit a URL mentioned in the same email.
• When the customer (i.e. the victim) innocently clicks on the URL specified in the email, she is
taken to the attacker's site and not the bank's original site.
• There, the customer is prompted to enter confidential information, such as her password or PIN.
• Since the attacker's fake site looks exactly like the original bank site, the customer provides this
information.
• The attacker gladly accepts this information and displays a Thank you to the unsuspecting victim.
• In the meanwhile, the attacker now uses the victim's password or PIN to access the bank's real
site and can perform any transaction as if he/she is the victim
 3) Pharming (DNS Spoofing):
 This attack was earlier known as DNS spoofing or DNS poisoning is now called as pharming attack.
 With the Domain Name System (DNS), people can identify Web sites with human readable names
(such as www.yahoo.com) and computers can continue to treat them as IP addresses (such as
120.10.81.67).
 For this, a special server computer called as a DNS server maintains the mappings between
domain names and the corresponding IP addresses.
 The DNS server could be located anywhere.
 Usually, it is with the Internet Service Provider (ISP) of the users.
 Example: The DNS spoofing attack works as follows.
 Suppose that there is a merchant (Bob), whose site's domain name is www.bob.com and the IP
address is 100.10.10.20.
 Therefore, the DNS entry for Bob in all the DNS servers is maintained as follows: www.bob.com
100.10.10.20
 3) Pharming (DNS Spoofing):
• The attacker (Trudy) manages to hack and replace the IP address of Bob with his own (say
100.20.20.20) in the DNS server maintained by the ISP of a user(say Alice).
• Therefore, the DNS server maintained by the ISP of Alice now has the following entry:
www.bob.com 100.20.20.20
• Thus, the contents of the hypothetical DNS table maintained by the ISP would be changed.
• A hypothetical portion of this table (before and after the attack) is shown in Figure below.
• When Alice wants to communicate with Bob's site, her Web browser queries the DNS server
maintained by her ISP for Bob's IP address, providing it the domain name (i.e.
www.bob.com).
• Alice gets the replaced (i.e. Trudy's) IP address, which is 100.20.20.20.
• Now, Alice starts communicating with Trudy, believing that she is communicating with Bob.
• Such attacks of DNS spoofing are quite common and cause a lot of havoc.
3) Pharming (DNS Spoofing):