Program Security, 10 August 2009

Our lecture 3 of Information Technology Security course is about Program Security. Lecture start with En. Mohd Zaki briefly explained the difference between failures and fault. According to him, fault is inside view from developer while failures are outside view from user. A failure normally occurs because of fault. Besides, En. Mohd Zaki also mentioned that vulnerabilities most commonly found in web application.

According to En.Mohd Zaki, program errors are generally divided into two types which are malicious and nonmalicious program error. Nonmalicious program errors are unintentional error which causes by mistakes made by programmers and developer. Nonmalicious program errors causes program malfunction but do not lead to serious security vulnerabilities. En. Mohd Zaki had explained to us two types of nonmalicious program error which are buffer overflows and incomplete mediation.

In the other hand, malicious code exploit the weaknesses in computer software and is intended to cause undesired effects, security breaches or damage to a system. Form of damage caused by malicious code could be in the form of modification, stolen data and unauthorized access. En. Mohd Zaki told us that malicious programs can be divided into need host program and independent. Malicious programs that need host program are trapdoors, logic bombs, Trojan horses and viruses while independent malicious program are bacteria and worms. En. Mohd Zaki had explained some of malicious code to us and he stressed on virus and worm.

After listened to En. Mohd Zaki explanation, I know that Trojan horse is a program which masquerades as a legitimate program, but does something other than what was intended. Virus is program which, when executed can add itself to other program, without permission and in such a way that the infected program, when executed, can add itself to still other program. Virus requires a host program as a carrier and replication is limited to virtual system. Virus normally hides in a compiler, database manager or a file manager, attachment to email and public download file. In order to gain control, virus has to control CPU which execute it by overwrite program on disk, move original program and after CPU executes it then transfer control to the program or install itself in memory and change the pointer of OS. Detection tools, identification tools and removal tools can be used to protect against viruses. Scanners and disinfectors are the most popular classes of antivirus software. Truths and misconceptions about viruses also have been discussed by En. Mohd Zaki.

Unlike a virus, a worm does not require a host program in order to survive and propagate itself as it is a self contained program. It sends itself or part of itself to other computers, most often through a network connection. One of the examples given by En. Mohd Zaki is worm propagate normally through email. When we open an attachment in email, worm will scan email address book and then send email to all email address automatically. The effect of worm propagation is causes network shutting down. Bacteria is different from worm is in the aspects of it does not affect network, but replicates itself until fills all disk space. Activation of logic bombs is triggered by a pre-determined time or event. Trap door occurs when programmer leaving debug routines in the code using code giving chance to exploit program. One of the famous trapdoors is Salami Attack.

At the end of lecture, En. Mohd Zaki had briefly explained on the attack associated to program error. He told us that cross site scripting, injection flaws and malicious execution are three most important attacks and will cover in lab section.

Authentication and Basic Cryptography, 28 July 2009

For the third lab practical section of IT Security course, we implement the concept of authentication and cryptography which we have learned during lecture time. Lab section starts with En. Mohd Zaki briefly explanation on what we needed to do in lab. Besides that, he reminds us some important steps in installation of Pretty Good Privacy (PGP). After that, we were required to perform lab activities according to lab sheets.

As usual, I used VMware Workstation to perform this lab activity. Before I do any changes in virtual machine, I take snapshot so that virtual machine can roll back to saved status after lab activity end. In order to continue lab activity, I have to ensure the file system is NTFS because data encryption cannot occur without NTFS. First task that I have performed is to verify data encryption. I have created an Encryption folder with User2Folder inside. After that, I created a private text document inside User2Folder and change setting to encrypt the file. As a result, access is denied when I try to access private text document by login as another user. This has proven that data encryption occurs.

For the second task, I have changed the local password policy settings for length to at least 9 characters. After that, I try to set a new password with less than 9 characters and it is not successful. A new password can only be set by at least 9 characters. For third task, I have changed local password policy setting for complexity by enabled the [Passwords must meet complexity requirements]. As a result, a new password formed must be at least 9 characters, must contain capitals, numerals or punctuation. Complex and long password is recommended to avoid being easily cracked.

For the fourth task, I have learned to set an Account Lockout Policy that contains three policies which are Account Lockout Threshold, Reset Account Lockout Counter After and Account Lockout Duration. Account Lockout Threshold policy specifies the number of failed login attempts allowed before the account is locked out. Reset Account Lockout Counter After defines a timeframe for counting the incorrect login attempts. Account Lockout Duration specifies a timeframe after which the account will automatically unlock and resume normal operation. In this lab activity, I have set Account Lockout Threshold to 3, Account Lockout Duration and Reset Account Lockout Counter After to 30 minutes. As a result, account was lockout after I enter incorrect password for fourth times continuously. The account either lockout for 30 minutes or I log on as administrator to unlock the account. After performed this task, I understand that Account Lockout Policy can help to delay a successful hack attempt or discourage the hacker from continuing hack the account.

For the last task, I installed PGP that provide asymmetric cryptography in VMware Workstation. After that, I created a key pair that contain private and public key. In order to secure key pair, I have entered a passphrase. En. Mohd Zaki has reminded us to remember this passphrase because it is require in encryption and decryption. Then, I exchange my public key with my partner. Followed by, I encrypt a message using PGP and then send it to my partner. She can read the messages after decrypt it. I also received a message which has been encrypted by my public key. I can read the message after decrypt using PGP!!! So, by using PGP, information can convert into a form that cannot be easily understood by unauthorized people and can converting encrypted data back into its original form that can be understood.

Authentication & Basic Cryptography (Part 2), 27 July 2009

This week lecture of IT security is the continuation of last week lecture on topic of Authentication & Basic Cryptography. The lecture starts with the introduction of Vigenere Ciphers by En. Mohd Zaki. According to En. Mohd Zaki, left hand column of Vigenere Ciphers square is the key letter while top row alphabet is plaintext letter. We have to get the key letter and then match with plaintext letter in order to get ciphertext letter. For example: plaintext of “COME” with key of “FISH” will encrypt becomes ciphertext of “HWEL”. The requirement in Vigenere Ciphers is the length of key must same as plaintext message and it is advisable not to use the repeating of key in order to secure this cipher.

After that, En. Mohd Zaki told us that frequency occurrence of English alphabet can help in breaking monoalphabetic substitution cipher. So, he gave us an assignment on analyze frequency occurrence of each alphabet in a page of either Malay or English newspaper. Then, he proceeds to another method use in cryptography algorithm besides substitution which is transposition. Transposition rearranges letters by using matrix. There are two type of transposition which is unkeyed transposition and keyed transposition. En.Mohd Zaki has showed us the difference between two types of transposition.

Encrypt the plaintext: “There is no more security on this earth there is only opportunity” into matrix of 10 (vertical) by 5 (horizontal)

Unkeyed transposition

	1	2	3	4	5	6	7	8	9	10
1	T	H	E	R	E	I	S	N	O	S
2	E	C	U	R	I	T	Y	O	N	T
3	H	I	S	E	A	R	T	H	T	H
4	E	R	E	I	S	O	N	L	Y	O
5	P	P	O	R	T	U	N	I	T	Y

We can get the plaintext by read the letters horizontally. In contrast, ciphertext can be obtained by read letters vertically.

Ciphertext: TEHEP HCIRP EUSEO RREIR EIAST ITROU SYTNN NOHLI ONTYT STHOY

keyed transposition

Given the key is 10145632897

	10	1	4	5	6	3	2	8	9	7
1	T	H	E	R	E	I	S	N	O	S
2	E	C	U	R	I	T	Y	O	N	T
3	H	I	S	E	A	R	T	H	T	H
4	E	R	E	I	S	O	N	L	Y	O
5	P	P	O	R	T	U	N	I	T	Y

We can get the plaintext by read the letters horizontally. In contrast, ciphertext can be obtained by read letters vertically according to key.

Ciphertext: HCIRP SYTNN ITROU EUSEO RREIR EIAST STHOY NOHLI ONTYT TEHEP

Besides that, I have gained understanding on digital signatures after listen to explanation of En. Mohd Zaki. Digital signature is a type of asymmetric cryptography. For messages sent through an insecure channel, a properly implemented digital signature gives the receiver reason to believe the message was sent by claimed sender. A digital signature provides data integrity and non-repudiation. A digital signature consists of two algorithms which is signing and verifying. In signing a digital signature, a hash of message is produced by applying hash function on a message. By using asymmetric algorithm with private key of sender on hash of message, a signature is produced. In other hand, the signature can be verified by anyone who knows the corresponding public key. By using asymmetric algorithm with the public key on signature, hash of message is produce. If the hash of message matches with hash, the signature is accepted. However, digital signatures can be attacked by intruder by substitute their public key for sender’s public key.

At the last section of lecture, En. Mohd Zaki taught us about RSA key setup. I feel that this is the most difficult part in this topic because it involves many complicated calculation. En. Mohd Zaki has given us many examples on calculating mod of number because it is important to be used in encrypt or decrypt a message in RSA.