 Attacks on computer hardware could be due to a natural calamity like floods or earthquakes;

due to power related problems like power fluctuations etc.; or by destructive actions of a
burglar.
 Software attacks harm the data stored in the computer. Software attacks may be due to
malicious software, or, due to hacking. Malicious software or malware is a software code
included into the system with a purpose to harm the system. Hacking is intruding into another
computer or network to perform an illegal act.

This chapter will discuss the malicious software and hacking in detail.

Figure 14.3 Security attacks

14.3 MALICIOUS SOFTWARE

Malicious users use different methods to break into the systems. The software that is
intentionally included into a system with the intention to harm the system is called malicious
software. Viruses, Trojan horse, and Worms are examples of malicious programs. Javascripts
and Java applets written with the purpose of attacking, are also malicious programs.

14.3.1 Virus

Virus is a software program that is destructive in nature. Virus programs have the following
properties:

 It can attach itself to other healthy programs.

 It can replicate itself and thus can spread across a network.
 It is difficult to trace a virus after it has spread across a network.
 Viruses harm the computer in many ways—
o corrupt or delete data or files on the computer,
o change the functionality of software applications,
o use e-mail program to spread itself to other computers,
o erase everything on the hard disk, or,
 o degrade performance of the system by utilizing resources such as memory or disk space.
 Virus infects an executable file or program. The virus executes when a program infected with
virus is executed or you start a computer from a disk that has infected system files.
 Once a virus is active, it loads into the computer’s memory and may save itself to the hard drive
or copies itself to applications or system files on the disk.
 However, viruses cannot infect write protected disks or infect written documents. Viruses do
not infect an already compressed file. Viruses also do not infect computer hardware; they only
infect software.
 Viruses are most easily spread by attachments in e-mail messages. Viruses also spread through
download on the Internet.

Some examples of viruses are—“Melissa” and “I Love You”.

14.3.2 Worms

Worm is self-replicating software that uses network and security holes to replicate itself. A copy
of the worm scans the network for another machine that has a specific security hole. It copies
itself to the new machine using the security hole, and then starts replicating from there, as well.
A worm is however different from a virus. A worm does not modify a program like a virus,
however, it replicates so much that it consumes the resources of the computer and makes it slow.
Some examples of worms are—“Code Red” and “Nimda”.

14.3.3 Trojan Horse

Trojan horse is destructive programs that masquerade as useful programs. The name “Trojan
horse” is given because of the Greek soldiers who reached the city of Troy by hiding themselves
inside a large wooden horse (Figure 14.4). The people of the city of Troy themselves pulled the
horse inside their city, unaware of the fact that the Greek soldiers were hiding inside the horse.
Similarly, users install Trojan horses thinking that it will serve a useful purpose such as a game
or provide entertainment. However, Trojan horses contain programs that corrupt the data or
damage the files. Trojan horses can corrupt software applications. They can also damage files
and can contain viruses that destroy and corrupt data and programs. Trojan horse does not
replicate themselves like viruses.
Figure 14.4 Trojan horse

14.3.4 Javascripts, Java Applets and ActiveX Controls

Applets (Java programs), and ActiveX controls are used with Microsoft technology, which can
be inserted in a Web page and are downloaded on the client browser for execution. Applets and
ActiveX controls are generally used to provide added functionality such as sound and animation.
However, these programs when designed with a malicious intention can be disastrous for the
client machine. Java Applets have strong security checks that define what an applet can do and
what it cannot. ActiveX controls do not have such security checks. Normally, ActiveX controls
must be kept disabled while working on the Internet (Figure 14.5).

Figure 14.5 (a) Making security settings in Windows XP (b) ActiveX control popup in Internet

Javascript is a scripting language generally nested within HTML code. The client-side scripts on
a HTML page execute inside the Web browser on the client computer. Javascript codes can be
used to transfer files, send e-mails and write to local files. If used with a maligned intention, the
scripts can be dangerous for the client machine.

14.4 HACKING

Hacking is the act of intruding into someone else’s computer or network. A hacker is someone
who does hacking. Hacking may result in a Denial of Service (DoS) attack. The DoS attack
prevents authorized users from accessing the resources of the computer. It aims at making the
computer resource unusable or unavailable to its intended users. It targets the computer and its
network connections, to prevent the user from accessing email, web sites, online accounts
(banking, etc.), or other services that rely on the affected computer. In a DoS attack, the services
of the entire network, an Internet site or service, may be suppressed or disabled. The affected
machine is flooded with spurious requests and messages so as to overload the network. As a
result, the affected machine cannot process the valid requests. This is a denial of service to the
valid users. Generally, the targets of such attacks are the sites hosted on high-profile web servers
such as banks and credit card payment gateways.

Packet sniffing, E-mail hacking and Password cracking are used to get the username and
password of the system to gain unauthorized access to the system. These methods gather the
information when the data is being transmitted over the network.

14.4.1 Packet Sniffing

The data and the address information are sent as packets over the Internet. The packets may
contain data like a user name and password, e-mail messages, files etc. Packet sniffing programs
are used to intercept the packets while they are being transmitted from source to destination.
Once intercepted, the data in the packets is captured and recorded. Generally, packet sniffers are
interested in packets carrying the username and password. Packet sniffing attacks normally go
undetected. Ethereal and Zx Sniffer are some freeware packet sniffers. Telnet, FTP, SMTP are
some services that are commonly sniffed.

14.4.2 Password Cracking

Cracking of password is used by hackers to gain access to systems. The password is generally
stored in the system in an encrypted form. Utilities like Password cracker is used to crack the
encrypted passwords. Password cracker is an application that tries to obtain a password by
repeatedly generating and comparing encrypted passwords or by authenticating multiple times to
an authentication source.

14.4.3 E-mail Hacking

The e-mail transmitted over the network contains the e-mail header and the content. If this
header and the content are sent without encryption, the hackers may read or alter the messages in
transit. Hackers may also change the header to modify the sender’s name or redirect the
messages to some other user. Hackers use packet replay to retransmit message packets over a
network. Packet replay may cause serious security threats to programs that require authentication
sequences. A hacker may replay the packets containing authentication data to gain access to the
resources of a computer.

14.5 SECURITY SERVICES

The security services provide specific kind of protection to system resources. Security services
ensure Confidentiality, Integrity, Authentication, and Non-Repudiation of data or message stored
on the computer, or when transmitted over the network. Additionally, it provides assurance for
access control and availability of resources to its authorized users.

 Confidentiality—The confidentiality aspect specifies availability of information to only

authorized users. In other words, it is the protection of data from unauthorized disclosure. It
requires ensuring the privacy of data stored on a server or transmitted via a network, from
being intercepted or stolen by unauthorized users. Data encryption stores or transmits data, in a
form that unauthorized users cannot understand. Data encryption is used for ensuring
confidentiality.
 Integrity—It assures that the received data is exactly as sent by the sender, i.e. the data has not
been modified, duplicated, reordered, inserted or deleted before reaching the intended
recipient. The data received is the one actually sent and is not modified in transit.
 Authentication—Authentication is the process of ensuring and confirming the identity of the
user before revealing any information to the user. Authentication provides confidence in the
identity of the user or the entity connected. It also assures that the source of the received data
is as claimed. Authentication is facilitated by the use of username and password, smart cards,
biometric methods like retina scanning and fingerprints.
 Non-Repudiation prevents either sender or receiver from denying a transmitted message. For a
message that is transmitted, proofs are available that the message was sent by the alleged
sender and the message was received by the intended recipient. For example, if a sender places
an order for a certain product to be purchased in a particular quantity, the receiver knows that it
came from a specified sender. Non-repudiation deals with signatures.
 Access Control—It is the prevention of unauthorized use of a resource. This specifies the users
who can have access to the resource, and what are the users permitted to do once access is
allowed.
 Availability—It assures that the data and resources requested by authorized users are available
to them when requested.

14.6 SECURITY MECHANISMS

Security mechanisms deal with prevention, detection, and recovery from a security attack.
Prevention involves mechanisms to prevent the computer from being damaged. Detection
requires mechanisms that allow detection of when, how, and by whom an attacked occurred.
Recovery involves mechanism to stop the attack, assess the damage done, and then repair the
damage.

Security mechanisms are built using personnel and technology.

 Personnel are used to frame security policy and procedures, and for training and awareness.
 Security mechanisms use technologies like cryptography, digital signature, firewall, user
identification and authentication, and other measures like intrusion detection, virus protection,
and, data and information backup, as countermeasures for security attack.

14.7 CRYPTOGRAPHY

Cryptography is the science of writing information in a “hidden” or “secret” form and is an

ancient art. Cryptography is necessary when communicating data over any network, particularly
the Internet. It protects the data in transit and also the data stored on the disk. Some terms
commonly used in cryptography are:

 Plaintext is the original message that is an input, i.e. unencrypted data.

 Cipher and Code—Cipher is a bit-by-bit or character-by-character transformation without regard
to the meaning of the message. Code replaces one word with another word or symbol. Codes
are not used any more.
 Cipher text—It is the coded message or the encrypted data.
 Encryption—It is the process of converting plaintext to cipher text, using an encryption
algorithm.
 Decryption—It is the reverse of encryption, i.e. converting cipher text to plaintext, using a
decryption algorithm.

Cryptography uses different schemes for the encryption of data. These schemes constitute a pair
of algorithms which creates the encryption and decryption, and a key.

Key is a secret parameter (string of bits) for a specific message exchange context. Keys are
important, as algorithms without keys are not useful. The encrypted data cannot be accessed
without the appropriate key. The size of key is also important. The larger the key, the harder it is
to crack a block of encrypted data. The algorithms differ based on the number of keys that are
used for encryption and decryption. The three cryptographic schemes are as follows:

 Secret Key Cryptography (SKC): Uses a single key for both encryption and decryption,
 Public Key Cryptography (PKC): Uses one key for encryption and another for decryption,
 Hash Functions: Uses a mathematical transformation to irreversibly encrypt information.

In all these schemes, algorithms encrypt the plaintext into cipher text, which in turn is decrypted
into plaintext.

14.7.1 Secret Key Cryptography

 Secret key cryptography uses a single key for both encryption and decryption. The sender uses
the key to encrypt the plaintext and sends the cipher text to the receiver. The receiver applies
the same key to decrypt the message and recover the plaintext (Figure 14.6). Since a single key
is used for encryption and decryption, secret key cryptography is also called symmetric
encryption.

Figure 14.6 Secret key cryptography (uses a single key for both encryption and
decryption)

 Secret key cryptography scheme are generally categorized as stream ciphers or block ciphers.
 Stream ciphers operate on a single bit (byte or computer word) at a time and implement some
form of feedback mechanism so that the key is constantly changing.
  Block cipher encrypts one block of data at a time using the same key on each block. In general,
the same plaintext block will always encrypt to the same cipher text when using a same key in a
block cipher.
 Secret key cryptography requires that the key must be known to both the sender and the
receiver. The drawback of using this approach is the distribution of the key. Any person who has
the key can use it to decrypt a message. So, the key must be sent securely to the receiver, which
is a problem if the receiver and the sender are at different physical locations.
 Data Encryption Standard (DES) and Advanced Encryption Standard (AES) are some of the secret
key cryptography algorithms that are in use nowadays.

14.7.2 Public-Key Cryptography

 Public-key cryptography facilitates secure communication over a non-secure communication

channel without having to share a secret key.
 Public-key cryptography uses two keys—one public key and one private key.
 The public key can be shared freely and may be known publicly.
 The private key is never revealed to anyone and is kept secret.
 The two keys are mathematically related although knowledge of one key does not allow
someone to easily determine the other key.

Figure 14.7 Public key cryptography (uses two keys—one for encryption and other for
decryption)

 The plaintext can be encrypted using the public key and decrypted with the private key and
conversely the plaintext can be encrypted with the private key and decrypted with the public
key. Both keys are required for the process to work (Figure 14.7). Because a pair of keys is
required for encryption and decryption; public-key cryptography is also called asymmetric
encryption.
 Rivest, Shamir, Adleman (RSA) is the first and the most common public-key cryptography
algorithm in use today. It is used in several software products for key exchange, digital
signatures, or encryption of small blocks of data. The Digital Signature Algorithm (DSA) is used to
provide digital signature capability for the authentication of messages.

14.7.3 Hash Functions

Figure 14.8 Hash function (have no key since plain text is not recoverable from cipher text)

 Hash functions are one-way encryption algorithms that, in some sense, use no key. This scheme
computes a fixed-length hash value based upon the plaintext. Once a hash function is used, it is
difficult to recover the contents or length of the plaintext (Figure 14.8).
  Hash functions are generally used to ensure that the file has not been altered by an intruder or
virus. Any change made to the contents of a message will result in the receiver calculating a
different hash value than the one placed in the transmission by the sender.
 Hash functions are commonly employed by many operating systems to encrypt passwords.
Message Digest (MD) algorithm and Secure Hash Algorithm (SHA) are some of the common used
hash algorithms.

The different cryptographic schemes are often used in combination for a secure transmission.
Cryptography is used in applications like, security of ATM cards, computer passwords, and
electronic commerce. Cryptography is used to protect data from theft or alteration, and also for
user authentication.

Certification Authorities (CA) are necessary for widespread use of cryptography for e-commerce
applications. CAs are trusted third parties that issue digital certificates for use by other parties. A
CA issues digital certificates which contains a public key, a name, an expiration date, the name
of authority that issued the certificate, a serial number, any policies describing how the certificate
was issued, how the certificate may be used, the digital signature of the certificate issuer, and any
other information.

14.8 DIGITAL SIGNATURE

A signature on a legal, financial or any other document authenticates the document. A photocopy
of that document does not count. For computerized documents, the conditions that a signed
document must hold are—(1) The receiver is able to verify the sender (as claimed), (2) The
sender cannot later repudiate the contents of the message, (3) The receiver cannot concoct the
message himself. A digital signature is used to sign a computerized document. The properties of
a digital signature are same as that of ordinary signature on a paper. Digital signatures are easy
for a user to produce, but difficult for anyone else to forge. Digital signatures can be permanently
tied to the content of the message being signed and then cannot be moved from one document to
another, as such an attempt will be detectable.

Digital signature scheme is a type of asymmetric cryptography. Digital signatures use the public-
key cryptography, which employs two keys—private key and public key. The digital signature
scheme typically consists of three algorithms:

 Key generation algorithm—The algorithm outputs private key and a corresponding public key.
 Signing algorithm—It takes, message + private key, as input, and, outputs a digital signature.
 Signature verifying algorithm—It takes, message + public key + digital signature, as input, and,
accepts or rejects digital signature.

The use of digital signatures typically consists of two processes—Digital signature creation and
Digital signature verification (Figure 14.9). Two methods are commonly used for creation and
verification of the digital signatures.
Figure 14.9 Digital signature

 In the First Method, the signer has a private key and a public key. For a message to be sent, the
signer generates the digital signature by using the private key to encrypt the message. The
digital signature along with the message is sent to the receiver. The receiver uses the public key
(known to the receiver) to verify the digital signature. This method is used to verify the digital
signature. Even if many people may know the public key of a given signer and use it to verify
that signer’s signature, they cannot generate the signer’s private key and use it to forge digital
signatures.
 In the Second Method, a hash function is used for digital signature. It works as follows:
o Digital signature creation
 The signer has a private key and a public key.
 For a message to be sent, a hash function in the signer’s software computes an
“original hash result” unique to the “original message”.
 The signer uses signing algorithm to generate a unique digital signature.
“original hash result” + signer’s private key = digital signature.
o The generated digital signature is attached to its “original message” and transmitted
with it.
o Digital signature verification uses digital signature, “received message” and signer’s
public key.
 A “new hash result” of the “received message” is computed using the same
hash function used for the creation of the digital signature.
 The verification software verifies two things—whether the digital signature was
created using the signer’s private key and, whether the “received message” is
unaltered. For this, the signer’s public key verifies the digital signature (signer’s
public key can only verify a digital signature created with the signer’s private
key). Once the key is verified, the “original hash result” of the digital signature is
available. It compares “original hash result” with the “new hash result”. When
the verification software verifies both the steps as “true”; it verifies the received
message.

The digital signature accomplish the effects desired of a signature for many legal purposes:
  Signer Authentication: The digital signature cannot be forged, unless the signer loses control of
the private key.
 Message Authentication: The digital signature verification reveals any tampering, since the
comparison of the hash results shows whether the message is the same as when signed.
 Efficiency. The digital signatures yield a high degree of assurance (as compared to paper
methods like checking specimen signatures) without adding much to the resources required for
processing.

The likelihood of malfunction or a security problem in a digital signature cryptosystem, designed

and implemented as prescribed in the industry standards, is extremely remote. Digital signatures
have been accepted in several national and international standards developed in cooperation with
and accepted by many corporations, banks, and government agencies. In India “Information
Technology Act 2000” provides legal recognition for transactions carried out by means of
electronic data interchange and other means of electronic communication, commonly referred to
as “electronic commerce”, which involves the use of alternatives to paper based methods of
communication and storage of information, to facilitate electronic filing of documents with the
government agencies.

14.9 FIREWALL

A firewall is a security mechanism to protect a local network from the threats it may face while
interacting with other networks (Internet). A firewall can be a hardware component, a software
component, or a combination of both. It prevents computers in one network domain from
communicating directly with other network domains. All communication takes place through the
firewall, which examines all incoming data before allowing it to enter the local network (Figure
14.10).

Functions of Firewall—The main purpose of firewall is to protect computers of an organization

(local network) from unauthorized access. Some of the basic functions of firewall are:

 Firewalls provide security by examining the incoming data packets and allowing them to enter
the local network only if the conditions are met (Figure 14.11).
 Firewalls provide user authentication by verifying the username and password. This ensures that
only authorized users have access to the local network.
 Firewalls can be used for hiding the structure and contents of a local network from external
users. Network Address Translation (NAT) conceals the internal network addresses and replaces
all the IP addresses of the local network with one or more public IP addresses.
Figure 14.10 (a) Windows firewall icon in control panel (b) Windows firewall setting (c)
Security center

The local network uses a single network interface to interact with the server. Local network
clients use IP addresses that are not attached to any computer. When a client sends a packet to
the Internet, the masquerading server replaces the IP address of the packet with its own IP
address. When a packet is received by local network, the server replaces the IP address of the
packet with the masqueraded address and sends the packet to the respective client.

Figure 14.11 Firewall

Working of Firewall—The working of firewall is based on a filtering mechanism. The filtering

mechanism keeps track of source address of data, destination address of data and contents of
data. The filtering mechanism allows information to be passed to the Internet from a local
network without any authentication. It makes sure that the downloading of information from the
Internet to a local network happens based only on a request by an authorized user.

Firewall Related Terminology:

 Gateway—The computer that helps to establish a connection between two networks is called
gateway. A firewall gateway is used for exchanging information between a local network and
the Internet.
 Proxy Server—A proxy server masks the local network’s IP address with the proxy server IP
address, thus concealing the identity of local network from the external network. Web proxy
 and application-level gateway are some examples of proxy servers. A firewall can be deployed
with the proxy for protecting the local network from external network.
 Screening Routers—They are special types of router with filters, which are used along with the
various firewalls. Screening routers check the incoming and outgoing traffic based on the IP
address, and ports.

14.9.1 Types of Firewall

All the data that enter a local network must come through a firewall. The type of firewall used
varies from network to network. The following are the various types of firewalls generally used:

 Packet filter Firewall

 Circuit Filter Firewall
 Proxy server or Application-level Gateway

[Link] Packet Filter Firewall

Packet Filter Firewall is usually deployed on the routers (Figure 14.12). It is the simplest kind of
mechanism used in firewall protection.

Figure 14.12 Packet fi Itering

 It is implemented at the network level to check incoming and outgoing packets.

 The IP packet header is checked for the source and the destination IP addresses and the port
combinations.
 After checking, the filtering rules are applied to the data packets for filtering. The filtering rules
are set by an organization based on its security policies.
 If the packet is found valid, then it is allowed to enter or exit the local network.
 Packet filtering is fast, easy to use, simple and cost effective.
 A majority of routers in the market provide packet filtering capability. It is used in small and
medium businesses.
 Packet filter firewall does not provide a complete solution.

[Link] Circuit Filter Firewall

Circuit filter firewalls provide more protection than packet filter firewalls. Circuit filter firewall
is also known as a “stateful inspection” firewall.

 It prevents transfer of suspected packets by checking them at the network layer.

  It checks for all the connections made to the local network, in contrast, to the packet filter
firewall which makes a filtering decision based on individual packets.
 It takes its decision by checking all the packets that are passed through the network layer and
using this information to generate a decision table. The circuit level filter uses these decisions
tables to keep track of the connections that go through the firewall.
 For example, when an application that uses TCP creates a session with the remote host, the TCP
port number for the remote application is less than 1024 and the TCP port number for the local
client is between 1024 and 65535. A packet filter firewall will allow any packet which has a port
number within the range 1024 and 65535. However, the circuit filter firewall creates a directory
of all outbound TCP connections. An incoming packet is allowed if its profile matches with an
entry in the directory for the TCP port numbers.

[Link] Application-Level Gateway

An application-level gateway or a proxy server protects all the client applications running on a
local network from the Internet by using the firewall itself as the gateway (Figure 14.13).

 A proxy server creates a virtual connection between the source and the destination hosts.
 A proxy firewall operates on the application layer. The proxy ensures that a direct connection
from an external computer to local network never takes place.
 The proxy automatically segregates all the packets depending upon the protocols used for them.
A proxy server must support various protocols. It checks each application or service, like Telnet
or e-mail, when they are passed through it.
 A proxy server is easy to implement on a local network.
 Application level gateways or proxy server tend to be more secure than packet filters. Instead of
checking the TCP and IP combinations that are to be allowed, it checks the allowable
applications.

Figure 14.13 Application-level gateway

14.10 USERS IDENTIFICATION AND AUTHENTICATION

Identification is the process whereby a system recognizes a valid user’s identity. Authentication
is the process of verifying the claimed identity of a user. For example, a system uses user-
password for identification. The user enters his password for identification. Authentication is the
system which verifies that the password is correct, and thus the user is a valid user. Before
granting access to a system, the user’s identity needs to be authenticated. If users are not properly
authenticated then the system is potentially vulnerable to access by unauthorized users. If strong
identification and authentication mechanisms are used, then the risk that unauthorized users will
gain access to a system is significantly decreased. Authentication is done using one or more
combinations of—what you have (like smartcards), what you know (Password), and what you
are (Biometrics like Fingerprints, retina scans).

We will now briefly discuss the following authentication mechanisms:

 User name and password

 Smart Card
 Biometrics—Fingerprints, Iris/retina scan

Once the user is authenticated, the access controls for the user are also defined. Access controls
is what the user can access once he is authenticated.

14.10.1 User Name and Password

The combination of username and password is the most common method of user identification
and authentication. The systems that use password authentication first require the user to have a
username and a password. Next time, when the user uses the system, user enters their username
and password. The system checks the username and password by comparing it to the stored
password for that username. If it matches, the user is authenticated and is granted access to the
system (Figure 14.14).