MS Press Microsoft Encyclopedia of Security pdf

(1)

(2)

PUBLISHED BY Microsoft Press

A Division of Microsoft Corporation One Microsoft Way

Redmond, Washington 980526399

Library of Congress CataloginginPublication Data Tulloch, Mitch.

Microsoft Encyclopedia of Security / Mitch Tulloch. p. cm.

ISBN 0735618771

1. Computer securityEncyclopedias 2. Computer networksSecurity measures-Encyclopedias. I. Title.

QA76.9.A25T85 2003

005.'8'03dc21 2003051323

Printed and bound in the United States of America.

1 2 3 4 5 6 7 8 9 QWT 8 7 6 5 4 3

Distributed in Canada by H.B. Fenn and Company Ltd.

A CIP catalogue record for this book is available from the British Library.

Microsoft Press books are available through booksellers and distributors worldwide. For further informa tion about international editions, contact your local Microsoft Corporation office or contact Microsoft Press International directly at fax (425) 9367329. Visit our Web site at www.microsoft.com/mspress. Send comments to [email protected].

Active Directory, ActiveX, Authenticode, BackOffice, Hotmail, Microsoft, Microsoft Press, MSDOS, MSDN, MSN, Windows, Windows NT, and Windows Server are either registered trademarks or trade marks of Microsoft Corporation in the United States and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.

The example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.

Acquisitions Editor: Jeff Koch

(3)

(4)

(5)

Thanks to my wife and business partner, Ingrid Tulloch, who was coauthor of our previous project with Microsoft Press, the Microsoft Encyclopedia of Networking, Second Edition. Thanks, Schatz, for contributing endless long hours of research and numerous helpful suggestions to assist me in writing this work. What a wife!

Thanks to the terrific team at Microsoft Press (mspress.microsoft.com) and nSight (www.nsightworks.com), including Jeff Koch, Sandra Haynes, Valerie Woolley, Susan McClung, Thomas Keegan, and Christina Palaia for their hard work and excellent suggestions. What a team!

Thanks to Neil Salkind of Studio B (www.studiob.com), my friend and literary agent who represented me in this project. What an agent!

Thanks to MTS Communications Inc. (www.mts.ca), for providing our company with Internet and Web hosting services. What a company!

And thanks finally to Ken and Bonnie Lewis, our best friends, and their four terrific kids, Karina, Alana, Sheri, and Vanessa, for encouraging us and praying for us as we worked on this project. What a family! And what friends!

Mitch Tulloch

(22)

(23)

Introduction

Welcome to the Microsoft Encyclopedia of Security, a general survey of computer security concepts, technol ogies, and tools. This work is intended to be a compre hensive, accurate, and up-to-date resource for students and practitioners, for policy and decision makers, for system and network administrators, and anyone else who works with computer, network, and information systems security.

What Is Computer Security?

Before we outline the scope of this work, let’s begin with a simple question that has a surprisingly broad answer: What is computer security? We’ll consider this question from seven different perspectives.

Threats and Vulnerabilities

Perhaps the most visible aspect of computer security today is the constant media attention surrounding vul nerabilities in software and the proliferation of viruses and other threats on the Internet. So one way of answer ing our question is that computer security is the science (and art) of dealing with threats and vulnerabilities.

Vulnerabilities generally arise from coding errors or bugs in software systems. This is not always the result of poor quality control of code development but instead is due to the ingenuity of hackers (good and bad) who explore and tinker with products looking for ways to circumvent security controls or simply see “what if” when unusual conditions or data arise. Some of the common vulnerabilities affecting software systems include

● Buffer overflows

● Input validation errors

● Uniform Resource Locator (URL) parsing errors

● Flawed password schemes

● � Faulty implementation of Request for Comments

(RFC) specifications

● Poorly configured default permissions

● Flawed security models

● Poor exception handling

Also garnering media attention these days are the vari ous threats to computer security that are reported almost daily. Common threats that can affect the secu rity of information system include

● � Viruses, worms, Trojans, spyware, and other forms

of malware

● � Denial of service (DoS) and distributed denial of

service (DDoS) attacks

● � Other activity by black hat hackers, crackers, and

script kiddies

Standards and Protocols

Another aspect of computer security is the various industry standards and protocols designed to provide confidentiality, integrity, and availability for data in information systems. Such standards may be

● � Industry-wide efforts developed by such indepen

dent standards organizations as the Internet Engi neering Task Force (IETF), the World Wide Web Consortium (W3C), and the Organization for the Advancement of Structured Information Systems (OASIS)

● � Specifications developed by consortiums of ven

(24)

Introduction

● � Standards developed by such government agencies

and organizations as the National Institute of Stan dards and Technology (NIST), National Computer Security Center (NCSC), and National Security Agency (NSA)

Standards outlining specifications for commonly used security protocols are especially important because these protocols provide authentication, encryption, and other features that help keep computer networks secure. Some common examples of security protocols and mechanism include

● � Network authentication protocols such as Kerberos

and NT LAN Manager (NTLM)

● � Protocols for secure exchange of data over the

Internet such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS)

● � Protocols for wireless security such as Wired

Equivalent Privacy (WEP), Temporal Key Integrity Protocol (TKIP), Wi-Fi Protected Access, and 802.11i

● � Remote access protocols such as Password Authen

tication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

● � Protocols for secure virtual private networking such

as Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) combined with Internet Protocol Security (IPSec)

● � Protocols for Authentication, Authorization, and

Accounting (AAA) such as Remote Authentication Dial-In User Service (RADIUS), Terminal Access Controller Access Control System (TACACS), and TACACS+ Protocols for secure Extensible Markup Language (XML) Web services including Web Ser vices Security (WS-Security), XML Encryption (XMLENC), and XML Signatures (XMLDSIG)

● � International standards like ISO 17799 outlining

best practices for information security

Hacking and Cracking

Another aspect of computer security involves the activ ities and exploits of individuals who seek to defeat it. These include hackers, crackers, phreakers, script kid-dies, and the authors of viruses, worms, and Trojans. The term “hacker” is perhaps the most controversial one for security professionals, as it originally had no negative connotation and described individuals who were technically savvy and insatiably curious about everything having to do with computers. Today “hacker” is usually used pejoratively by the media, and to correct this influence the idea of “hats” was put for-ward, classifying hackers into white hats (good guys), gray hats (not so sure), and black hats (bad guys).

When we examine computer security from the perspec tive of hacking and cracking, we can talk about several issues, including

● � General procedures used for breaking into com

puter networks, including footprinting, stack fin gerprinting, enumeration, port scanning, address spoofing, session hijacking, elevation of privileges, root exploits, back channels, and log doctoring

● � Common types of tools used to compromise sys

tems, including sniffers, password crackers, root-kits, wardialers, vulnerability scanners, backdoors, remote administration tools (RATs), and malicious code

● � Security tools that can be used for malicious pur

poses, ranging from sophisticated utilities such as Nmap, Fping, Snort, Netcat, and System Adminis trator Tool for Analyzing Networks (SATAN) to simple network troubleshooting tools such as Ping, Traceroute, Netstat, Finger, Nslookup, and Whois

● � Popular exploits such as Smurf, Jolt, Bonk, Boink,

(25)

Introduction

● � Popular hacking and cracking Web sites, organiza

tions, and media, such as 2600 magazine, Phrack, Attrition.org, Cult of the Dead Cow (cDc), and numerous others

Tools and Procedures

Yet another aspect of computer security is the tools and procedures used by businesses to protect the security of their systems, networks, and data. Security tools may either be commercial or free, proprietary or open source, and can be developed by legitimate security companies or borrowed from the black hat community.

At the simplest level are security technologies used to protect entry and control access to networks including

● � Authentication mechanisms such as passwords,

tickets, tokens, smart cards, and biometric systems

● � Access control mechanisms such as discretionary

access control (DAC) and mandatory access control (MAC)

● � Permissions, rights, and other privileges that con

trol system processes and tasks

● � Auditing and logging mechanisms for recording

security-related events and occurrences

Then there are tools and procedures used to protect net-works from threats on the Internet, such as

● Firewalls and packet filtering routers

● Intrusion detection systems (IDSs) and honeypots

● � Virus protection software and file system integrity

checkers

● Vulnerability scanners and security auditing systems

Another important issue is the practices, procedures, and policies used to ensure network security, including

● Hardening systems and bastion hosts

● Penetration testing and security auditing

● Security policies and privacy policies

Organizations and

Certifications

We’ve already mentioned Web sites frequented by black hats, but what about sites and organizations for legitimate security professionals? Numerous security advisory and support organizations exist that every security professional should be aware of, including

● SANS Institute

● Center for Internet Security (CIS)

● CERT Coordination Center (CERT/CC)

● � Forum of Incident Response and Security Teams

(FIRST)

● Microsoft Security Response Center (MSRC)

Certifications for security professionals are a way of ensuring one’s skills are up to date and stand out from the crowd. Some of the popular certifications available include

● � Certified Information Systems Security Profes

sional (CISSP)

● System Security Certified Practitioner (SSCP)

● Certificate Information Systems Auditor (CISA)

● � Global Information Assurance Certification

(GIAC)

Cryptography

Ensuring the privacy and confidentiality of data stored on and transmitted between information systems is another important aspect of computer security, and this is built on the foundation of cryptography, the branch of mathematics concerned with procedures for encrypting and decrypting information. Every security profes sional should be familiar with the basics of this field, including knowledge of

● � Public key cryptography with its elements of certif

(26)

Introduction

● � Secret key cryptography based on block ciphers,

stream ciphers, one-time passwords (OTPs), ses sion keys, and other constructs

● � Encryption algorithms such as Blowfish, Rijndael,

Twofish, MD5, RC4, Skipjack, Diffie-Hellman, and RSA

● � Encryption standards such as Advanced Encryption

Standard (AES), Data Encryption Standard (DES), and Digital Signature Standard (DSS)

● � Encryption schemes for secure messaging such as

Secure Multipurpose Internet Mail Extensions (S/MIME) and Pretty Good Privacy (PGP)

● � Methods for cracking keys and passwords including

brute-force and dictionary attacks

Legal Issues

Finally, there are the legal issues surrounding computer and information systems security. These include

● � Software piracy and the technologies, laws, and

initiatives designed to prevent it

● � Privacy laws relating to what companies can do with

personally identifiable information (PII) collected from individuals

● � International agreements such as the Wassenaar

Arrangement, which covers export control of dual-use technology such as encryption

● � Technologies and initiatives for making computer

systems more trustworthy such as Microsoft Corpo ration’s Trustworthy Computing Initiative, the Trusted Computing Platform Alliance (TCPA), and Microsoft Corporation’s Next-Generation Secure Computing Base for Windows, formerly called Palladium

Who This Work Is For

I think you can already see that the scope of this book is broad and wide, as an encyclopedia should be. This breadth of coverage is needed because computer secu rity affects many different fields and requires that

security professionals have broad knowledge and skills concerning computer networking, operating systems, the Internet, code development, cryptography, indicant response, forensics, and local, federal, and international law. What a business to be in! But what exciting times! Never before have professionals with computer security expertise been in so much demand to protect companies against a seemingly exponential rise in threats, attacks, and exploits against their systems and data.

The computer security field is growing in leaps and bounds, and this book is an attempt to provide a snap-shot of everything and anything that has to do with the field. Future editions of this book are likely to include even more information as new exploits, tools, stan dards, and technologies are developed by both security professionals and black hat hackers. This present edi tion, however, is likely to be an invaluable reference work for the following kinds of individuals:

● � Computer security professionals and practitioners

in business, industry, government, and the military

● � System and network administrators who work

mainly with Windows, UNIX, and Linux platforms

● � Students considering and/or pursuing academic

degrees in computer science or industry certifica tions in information security

● � Corporate policy makers, decision makers, and

executives involved in MIS (Management Informa tion Services), IS (Information Services), and IT (information technology)

How This Work Is Organized

(27)

Introduction

articles also finish with cross-references to related topics found elsewhere in this book.

Disclaimer

The information contained in this work has been obtained from sources believed to be reliable. Although both the author and Microsoft Press have made every effort to be fair and accurate, neither the author nor the publisher assume any liability or responsibility for any inaccuracy or omissions contained within this book, or for any loss or damage resulting from application of the information presented therein. In other words, the infor mation provided in this book is presented on an “as is” basis. Mention of organizations, vendors, products, and services in this work are not to be viewed as endorse ments by either the author or by Microsoft.

Comments and Questions

If you have comments, questions, or suggestions � regarding this encyclopedia, please direct them to � Microsoft Press at [email protected] or at the � following postal address:�

Microsoft Press�

Attn: Microsoft Encyclopedia of Security Editor� One Microsoft Way�

Redmond, WA 98052-6399� USA�

Please note that product support is not offered through � the above addresses.�

(28)

(29)

#

Numbers

and Symbols

3DES

Also called Triple DES or EDE (encrypt, decrypt, encrypt), a secret key encryption algorithm based on repeated application of the Data Encryption Standard (DES).

Overview

3DES works by applying the DES algorithm three times in succession to 64-bit blocks of plaintext. It does this by using two independent 56-bit keys (K1 and K2) applied in the following manner:

1 Encryption with K1

2 Decryption with K2

Since this three-stage encryption process uses two different 56-bit keys, it has an effective key length of 2 × 56 = 112 bits, which is 256_{times stronger than DES.}

This means if you could crack a DES message in one hour, it would take 8 trillion years to crack 3DES using the same method! To decrypt a block of 3DES cipher-text you use the following procedure:

By setting K1 = K2 in the preceding encryption algo rithm, 3DES defaults to DES in operation. This issue of backward compatibility with DES is one of the reasons that EDE is used instead of the equally plausible EEE (encrypt, encrypt, encrypt) for 3DES.

3DES is defined by ANSI standard X5.92 and complies with Federal Information Processing Standards (FIPS) 140-1 Level 1.

Implementation

3DES is commonly used to implement Internet Proto col Security (IPSec) encryption in firewalls and routers for building secure virtual private networks (VPNs). Due to its licensing requirements, 3DES is generally not included in enterprise software and must be obtained as an add-in, such as the Microsoft Windows

2000 High Encryption Pack. Support for 3DES is

included in Microsoft Windows XP Professional for the Encrypting File System (EFS).

3DES is also on the way to replacing DES as a new standard for the electronic payment industries and is used to secure electronic transactions between banking and credit agencies and point-of-sale (POS) devices and automatic teller machines (ATMs). Both MasterCard and Visa, for example, are implementing end-to-end 3DES solutions for electronic funds transfers and payments.

Issues

The main drawback with 3DES is that it is slow because of the iterated nature of its algorithm. In principle, you could make DES even more secure by performing more than three iterations, but in practice the performance penalty is too great.

Notes

Some nonstandard implantations of 3DES employ three keys instead of two, with the difference being that the third iteration performs encryption using K3 instead of K1. The result is that the effective key length in these implementations of 3DES is 168 bits.

See Also: Data Encryption Standard (DES)

802.1 x

(30)

#

802.1x 802.1x

Overview

802.1x is a cornerstone of the Robust Security Network (RSN) initiative of the Institute of Electrical and Elec-tronics Engineers (IEEE) and the emerging 802.11i standard. The 802.1x standard works by providing port-based access control to both wired and wireless networks. It is built on two standard network security protocols:

● Extensible Authentication Protocol (EAP): An

extension to Point-to-Point Protocol (PPP) that is defined in RFC 2284 and allows an arbitrary authentication method to be negotiated during PPP session initialization

● Remote Authentication Dial-In User Service

(RADIUS): A client/server security protocol that

provides Authentication, Authorization, and Accounting (AAA) and is defined in RFCs 2138 and 2139

The 802.1x standard defines three types of entities: sup-plicant, authenticator, and authentication server. In a typical scenario, the supplicant is a remote user’s laptop that has an 802.1x-compliant wireless network interface card (NIC) installed, while the authenticator is an 802.1x-compliant access point and the authenticator an EAP-compatible RADIUS server. When an authentica-tor detects a new supplicant that needs to be authenti-cated, it sends the supplicant a challenge message encapsulated using the EAP-over-LAN (EAPoL) secu-rity protocol defined by 802.1x. The supplicant then sends its credentials to the authenticator, which repack-ages them as a RADIUS message and forwards this to the authentication server. The authentication server then compares the submitted credentials against its authenti-cation database or forwards them to another authentica-tion server. Once the client has been authenticated, the authentication server informs the authenticator, which then allows the supplicant to access the network. The authentication server can also distribute a session key to the supplicant through the authenticator, and the suppli-cant and authenticator can then use this key for encrypted communications between them.

fNSes01

802.1x. How 802.1x authentication works.

When used in a switched Ethernet environment, the authenticator is typically a switch or router that enables a specific physical port to allow the client access to the network. In this scenario, 802.1x is referred to as pro-viding port-based access control since it provides net-work access only through ports for which the client has been authenticated.

Implementation

There are several ways of deploying secure WLANs using 802.1x. The simplest scenario involves employing one or more RADIUS servers using a central authentica-tion database (typically Lightweight Directory Access Protocol [LDAP]– or SQL-based) and managing wireless clients at a single site. In a distributed environment the authentication database can be replicated across multi-ple sites, and the RADIUS servers and access points for each site can be autonomous or managed centrally.

A number of vendors have started to incorporate 802.1x support into their switches, RADIUS servers, access points, and network adapters, including Cisco, Hewlett-Packard, Microsoft, Enterasys, Funk Software, Wind River, and several others. Interoperability issues between offerings from different vendors depend largely on how 802.1x authentication is being implemented. For exam-ple, Cisco has created an authentication method called

Wireless access point EAP-compliant

RADIUS server

Credentials

2

Grant access to WLAN

5

EAPoL challenge

1

Repackaged credentials

4 Authorization

Wireless NIC with 802.1x-supporting client

(31)

#

802.11i

Lightweight Extensible Authentication Protocol (LEAP, or Lightweight EAP) that represents an interim step toward full 802.1x functionality. Other common authen tication methods supported by EAP and used in 802.1x include MD5, Transport Layer Security (TLS), and Tun neled TLS (TTLS).

Issues

Because of its built-in security and support for AAA, 802.1x holds promise for simplifying how Internet ser vice providers (ISPs) provision wireless Internet access in public spaces. However, researchers at the University of Maryland recently discovered that the present 802.1x � standard is vulnerable to certain kinds of session hijack ing or man-in-the-middle attacks. The cause of the problem is that 802.1x was designed mainly to secure the infrastructure (the WLAN access points and the wired network behind it) and not the clients themselves. A workaround is to supplement your WLANs with encrypted virtual private network (VPN) security, but in the meantime enterprises should use caution in deploying 802.1x as a panacea for their network security problems.

NotesŽ

Microsoft also includes built-in support for 802.1x in its Microsoft Windows XP Professional and Windows Server 2003 operating systems.

See Also: 802.11i, Extensible Authentication Protocol

(EAP), Remote Authentication Dial-In User Service (RADIUS), wireless security

802.11i

An emerging standard specifying security enhance ments for the 802.11 wireless networking.

Overview

The development of 802.11i was motivated by serious flaws discovered in the earlier 802.11 security protocol called Wired Equivalent Privacy (WEP). The result was the Robust Security Network (RSN) initiative devel oped by the Institute of Electrical and Electronics Engi neers (IEEE), of which the emerging 802.11i standard is the cornerstone. The 802.11i standard provides enhancements to the security of existing wireless local area network (WLAN) standards, including 802.11a,

2600

802.11b, and 802.11g. These security enhancements include new authentication procedures, strengthened encryption schemes, and dynamic key allocation, all with the goal of ensuring WLANs are as secure as wired LANs. The 802.11i standard will include support for 802.1x port-based access control, Temporal Key Integrity Protocol (TKIP), Advanced Encryption Stan dard CBC-MAC Protocol (AES-CCMP) encryption, secure fast handoff, and secure deauthentication and disassociation.

The 802.11i standard is expected to be finalized by the IEEE in 2003. As an interim measure until the final 802.11i standard becomes available, the Wi-Fi Alliance has released an upgrade for WEP called Wi-Fi Pro tected Access (WPA), which is forward-compatible with 802.11i and can be implemented easily in existing wireless-networking equipment through firmware upgrades.

See Also: 802.1x, Advanced Encryption Standard

(AES), Temporal Key Integrity Protocol (TKIP), Wired Equivalent Privacy (WEP), wireless security

2600

A magazine devoted to hacking, cracking, and freedom of information.

Overview

(32)

#

2600 2600

discovered they could use the Captain Crunch whistle to make free long-distance calls, an activity called

phreaking (phone hacking).

The 2600 team has also done other projects, including producing Freedom Downtime, a feature-length film about convicted cracker Kevin Mitnick, that aim to counter what hackers feel are unfair media portrayals of their subculture.

2600 also has a Web site (www.alt2600.com), and there

is a series of newsgroups (alt.2600.*) used by the hacker community that contains a useful FAQ on secu rity issues.

(33)

A

A5

A family of algorithms that is used to encrypt Global System for Mobile Communications (GSM) cellular communications.

Overview

A5 is a stream cipher that comes in two flavors: a “strong” form (A5/1) that is proprietary and a “weak form” (A5/2) that is in the public domain. In 1999, how-ever, a crack for A5/1 was developed by Adi Shamir (the S in the Rivest-Shamir-Adleman or RSA algo rithm) that can be run in real time using only a standard PC. This cryptographic feat meant that the privacy of cellular phone conversations of over 200 million users of GSM systems in Europe and Asia was endangered. As a result, a joint working party between the GSM Association Security Group and the 3rd Generation Partnership Project (3GPP) developed a newer and more secure algorithm called A5/3, which is based on the Kasumi algorithm and which is intended to ensure the privacy of GSM communications.

See Also: cracking, cryptography, RSA algorithm,

stream cipher

AAA

Stands for Authentication, Authorization, and Account ing, a security framework for controlling access to net-work resources.

See: Authentication, Authorization, and Accounting

(AAA)

acceptable use policy (AUP)

A policy that defines appropriate use of computing resources for a company or organization.

Overview

Developing an acceptable use policy for your network

for any good security policy. An acceptable use policy should generally have three goals:

● To communicate clearly which types of activities

are not acceptable and why

● To provide legal notice concerning these unaccept

able activities so that violators can be punished accordingly

● To protect the company from legal action for

alleged violations of privacy

Examples of proscribed actions might include the following:

● Using another employee’s user account with or

without that person’s permission

● Reading, copying, or altering files belonging to

another employee without that person’s permission

● Using the company’s computing resources for per

sonal gain

● Sending unsolicited commercial e-mail (UCE),

more commonly known as spam, from your machine to others inside or outside the company

● Engaging in such practices as mail bombing that

interfere with a user’s e-mail, regardless of whether or not the user is an employee of the company

● Downloading pornography from the Internet and

storing it on your computer

● Releasing confidential information concerning the

company or its network to outside parties

● Downloading and installing software on your com

puter without the knowledge or permission from the Helpdesk

Acceptable use policies should always be

MS Press Microsoft Encyclopedia of Security pdf

Contents­

Alphabetical Reference of Terms

Numbers

A

B

D

E

F

G

H

J

K

L

M

N

O

P

Q

R

S

T

U

W

Y

Z

Acknowledgments

Introduction

What Is Computer Security?

Threats and Vulnerabilities

Standards and Protocols

Hacking and Cracking

Tools and Procedures

Organizations and

Certifications

Cryptography

Legal Issues

Who This Work Is For

How This Work Is Organized

Disclaimer

Comments and Questions

#

Numbers

and Symbols

3DES

802.1

x

#

#

802.11i

2600

#

A

A

A5

AAA

acceptable use policy (AUP)

Contents