Introduction to the class Dr. Pipat Sookavatana Department of Computer Engineering CPEN1331 Network Security

What’s this course about? เรียนรู้และทำความเข้าใจการ Attack ระบบ Network เรียนรู้การป้องกันการ Attack ระบบ Network

หัวข้อที่จะถูกกล่าวถึงใน class นี้ Attack theory TCP/IP, UDP network Network Monitoring Security flaws Network Security Tools Ethernet Network Security 802.11 Wireless Network Security Network Firewall IDS/IPS VPN Encryption NAC

Assignments Rule 3 points สำหรับผู้ชนะ 2 points สำหรับ 2nd place 1 points สำหรับ 3rd place 0 points สำหรับที่เหลือ

Assignments หาและอธิบาย technique และวิธีการทำ Network Attack ให้มากที่สุด (ผู้ที่หามามากที่สุดชนะ) หาและอธิบาย technique และวิธีการทำ Email Security (ใช้วีธี Vote ตามนี้ 1 แต้มสำหรับการโหวดจากแต่ละกลุ่ม, 3 แต้มจาก Lecturers) หาและอธิบาย technique และวิธีการทำ Security สำหรับ RFID (ใช้วิธีให้คะแนนแบบข้อ 2) หาและอธิบายวิธีการทำ MD5-Collision (Yang and Yu 2005) (ใช้วิธีให้คะแนนแบบข้อ 2) Key ของ Access Point ที่ตั้งในห้อง Lab คืออะใร (กลุ่มแรกที่ตอบถูกพร้อมหลักฐานชนะ กลุ่มอื่น 0)

หนังสือนาะนำ The Art of Intrusions

The methodology of the attackers การตรวจหา (Surveillance) find hosts (IP address search) find type of host (os fingerprint), firewalls too Find KNOWN bugs (known to them) Exploitation post break-in escalation of privilege, user attacks root Hiding their tracks post Or pre break-in root shells on UNIX

Scanning is one basic methodology finding ip dst addresses single source multiple sources scanning one ip dst for tcp ports/udp ports open then launch an exploit launcher may be human or program

Finding ip dst addresses There are many tool on the internet you may download and use to find available IP in one subnet work www.foundstone.com sectools.org SuperScan, LaySurveror, IPScan, etc.

Scanning one ip dst Right after discover a target IP, port scanning software can be employed. i.e. nmap, NetworkActivPortScann, etc Or nessus

email: another methodology send program via email user naively executes attachment or perhaps it is auto-launched in some cases social engineering may be of use » “hi handsome ...” » “I love u …” malware uses address book to launch itself at next targets possibly with fake email sender

Define some terms (Must Know) exploit - a piece of code that exploits a software bug leading to a security hole virus - a malware program that somehow rides on the back of another vehicle but doesn’t move itself worm - a malware program that provides its own transit trojan-horse - a malware program that somehow appears as something else entirely

Define some terms (Must Know) cont. footprint/signature: some log entry or other trace left behind by an attack signature(in IDS sense): some way to identity a particular virus/worm/exploit attack perhaps use pattern matching to id that a file/email/packet has a known attack in it forensics: the process of figuring out just how an attack occured after the attack succeeded possibly may include collecting evidence for criminal case against criminal defendent

Define some terms (Must Know) cont. forensics again: important idea: if we can’t figure out how they got in, how can we keep them out next time? counter-measures: just what the whitehats do to keep the blackhats out or what you do to WATCH for them » on your network or hosts what did you do to make your webserver safer?

Define some terms (Must Know) cont. define “secure”: maybe we should all say: “safer” backdoor social engineering attack buffer overflow dictionary attack oh wait, we have the Morris worm for those terms

Security Principles and Component Asset and Risk Based INFOSEC (Information Security) Lifecycle model (ARBIL) A model represent an information security life cycle that can work for any organization