IEEE requires that the fonts in PDFs be embedded. After banging my head on a number of internet walls I found This Blog, which has a neat way of doing this using Ghostscript.
gs -q -dSAFER -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=tmp.pdf -dCompatibilityLevel=1.3 -dPDFSETTINGS=/prepress -c .setpdfwrite -f $1
where $1 is your input pdf.
Thursday, November 28, 2013
Friday, January 6, 2012
Host and Network Based Intrusion Detection System
Host Based Intrusion Detection System - Definition
A host based intrusion detection system (HIDS) is a piece of software which monitors a computer system for vulnerabilities and intrusions. It may also monitor software misuse, policy violations and other malicious activities. A host based intrusion detection system may also perform log analysis, spyware detection and virus detection. An example of HIDS is the OSSEC-HIDS tool. Host based intrusion detection system have the advantage that they reside locally on the machine and hence can keep a watch over it closely than NIDS. The downside is, in a large scale implementation an HIDS will generate a huge amount of data which will be difficult to manage for a manager node.
Network Based Intrusion Detection System – Definition
In contrast to the host based intrusion detection system a network based intrusion detection system is placed at strategic points in the network from where it can monitor the network traffic coming from and going to all the systems in the network. The upside of using a NIDS is that by observing packets before they reach a particular machine you can take actions pro actively while on HIDS you will have to wait for the malicious packet to do something. The downside though is that an NIDS will slow down the network speed since every packet is being checked and also has the tendency of raising too many false alarms. An example of an NIDS is wireshark.
Types of Intrusion Detection Techniques
Intrusion detection systems can be classified based on what techniques they use to detect malicious behavior.
1. Anomaly Detection
Anomaly detection programs will try to find out abnormal behavior on a user’s of software’s part. For this, first of all a baseline pattern of usage is defined. This base line pattern is considered as what is the normal behavior of a system’s usage. An anomaly is any behavior which deviates from normal usage. An incident which occurs either too frequently or too rarely than normal is considered an anomaly. For example software which usually just reads file, if starts modifying files, it’s an anomaly in the software’s behavior. If a computer which if often used only during daytime is accessed in the night it would be considered a usage anomaly.
2. Misuse or Signature Detection
Signature is a pattern associated with a certain entity. The entity can either be software or user or a packet. Signatures are often associated with virus and spywares. Viruses and spywares can be grouped into classes according to their behavior. These classes of such malicious software have similar functionality and hence similar code sections. Such similar functionality and code sections can be considered as the signature of the malicious software. Intrusion detection systems keep a database of all such signatures and keep checking software against their database to detect a malicious signature. Similarly such techniques can be applied to a user’s behavior and a network packet.
3. Target Monitoring
In target monitoring, the intrusion detection system does not check the whole file system; instead it keeps an eye on certain files and folders which are more susceptible to attacks and modifications from the attackers. Since some files and folders in the system have high sensitivity and have greater impact on the system it makes sense to protect them. Cryptographic hashes can be used periodically to check whether the system has been modified by unauthorized entities.
4. Stealth Probes
Stealth probes detect attackers which try to launch their attack in a prolonged period of time so as to avoid being detected because of anomalous behavior. Stealth probes collect a wide variety of data to check for such attacks.
Comparing HIDS and NIDS
This section will compare the two intrusion detection system based on a few functionalities.
Network Binding
Since NIDS resides on the network and only on one machine, NIDS is only able to provide protection when the system is on the network; once it goes out of the protected network NIDS is no longer able to provide any protection. In contrast HIDS always resides on a local machine irrespective of whether the machine is on or off the network and thus is able to monitor and protect it at all times.
Versatility
While an HIDS can provide comprehensive monitoring and analysis of the state of the machine by scanning and checking important system files, anomalies, software signatures and by keeping a check on the ports, an NIDS can only analyze the network traffic to monitor intrusions. Thus an HIDS is far more versatile than an NIDS is this respect.
Real time detection
While NIDS scans packet all the time, it provides real time detection and protection on the other hand HIDS runs and checks the system periodically.
Ease of updating
Both the intrusion detection systems require certain patterns and behavior definitions which should be kept up to date. Updating these patterns and behaviors on an NIDS is far easier than in an HIDS since NIDS resides only on one machine while HIDS agents reside on every single machine in the network.
Cross platform compatibility
If the network consists of machines running on a number of different platforms, which always the case is. A network may have a few windows machines, a few linux machines, a few machines running MacOS and others running FreeBSD etc. For HIDS it is a difficult task to overcome variation in the platforms. For example OSSEC-HIDS does not have a manager which can run on a windows machine, so if you want to run OSSEC-HIDS you cannot do it on an all windows network. This problem does not arise in case of NIDS since one dedicated system can be used to run NIDS.
Local machine scanning
Computers can be infected not only through the network but also by a number of other means, for example somebody accidently transferring a virus they had on their flash drive. This cannot be detected by an NIDS but can be detected by an HIDS.
Centralized management
NIDS can be managed in a centralized manner far more efficiently than HIDS. Centralized management has advantages since the company who owns the network can hire specialized security people to always monitor the network than relying on users to analyze the HIDS databases.
Reliability
HIDS are more reliable than NIDS since NIDS have a single point of failure. If the NIDS machine goes down entire network becomes unprotected and vulnerable, on the other hand in case of an HIDS failure, only the machine on which the failure occurred is vulnerable while all the other machine are still protected.
Point of Impact
While HIDS systems are better suited for on machine attacks, the point of impact is on the system and the inside attackers are dealt with. In the NIDS the point of impact is the network and hence it deals with the outside attackers.
Damage Assessment
The virtue of real time protection, gives rise to the vice that, NIDS cannot assess the damage to a system, while HIDS, because they keep logs of every activity and check the system periodically can provide a measure of how much damage has occurred.
Attack anticipation
Related to the above is attack anticipation, since HIDS always keep a track of everything going on in a system, they are capable of predicting when an attack can take place by using the data about the usage characteristics, NIDS on the other hand do not have the luxury of having any such data and hence do not have any attack anticipation functionality.
Saturday, October 1, 2011
Notes on RSA
There are three parts in RSA
1. Key generation: where you will generate two keys a public key and a private key.
2. Encryption: where you use the public key and data to generate the ciphertext.
3. Decryption: where you use the ciphertext generated in the previous step and the private key to obtain the original data.
Let’s try to understand the example below. Most probably you will be given 4 values and you will be asked to generate public key private key ciphertext and decrypt the ciphertext.
You are given p = 61 and q = 53. You are given e = 17 and the data to be encrypted as m = 65
Step 1. Calculate the public and private keys.
1. You multiply p and q together and find their product
n = p x q
In our example n = 61 x 53 = 3233
2. Find the totient of n. If n has two factors p and q, then totient φ (n) = (p-1)(q-1). We already know p and q so the totient of n, φ (n) = (61 – 1) x (53 – 1) = 60 x 52 = 3120.
3. You need to choose a value for e, which is between 1 and φ (n) which is 3120 in this case. In this case let's e is 17.
4. Compute the modular inverse of 17 mod φ (n). This is the hard part.
A multiplicative inverse of x mod y will be a number which when multiplied by x and the product divided by y gives the remainder 1.
We can use the calculator here http://ptrow.com/perl/calculator2.pl
Put modulus as the φ (n) value which is 3120 in this case, use a = 17 and hit the 1/a button, the result will be the multiplicative inverse. Let us call the multiplicative inverse d, which comes out to be 2753.
5. Once you have calculated the multiplicative inverse, you have both the public and the private keys with you.
Public key is (n = 3233, e = 17).
Private key is (n = 3233, d = 2753).
Step 2. Now we encrypt the data given to us using the public key we calculated.
The formula for encryption is
C = m e (mod n)
C = 65 17 (mod 3233) = 2790
Step 3. The result from step 2 is the ciphertext, now we want to decrypt it to obtain the original data m. To do so we need the private key and the following formula.
M = C d (mod 3233)
M = 2790 2753 (mod 3233) = 65.
Tuesday, February 8, 2011
Social Engineering
Why waste your time trying to break passwords and encryptions when you can so easily social engineer. Social engineering can be defined as obtaining information, gaining access or making the target perform certain actions using psychological tricks on a person rather than breaking into a system. Hacking using social engineering is often easier than breaking into computers. In any secure system the weakest link is the human. Humans have cognitive biases, also called the bugs in the human hardware, and social engineers exploit these bugs. There are several techniques of social engineering in existence, some of the more prominent ones are.
1. Pretexting
Pretexting means, using a fake, invented scenario to persuade the victim to divulge valuable information. Pretexting involves some amount of background research on the victim, so that the hacker appears to be a legitimate person. Pretexting can be in person, online or through phone. Hackers can call individuals, pretending to be customer service representatives or can call company individuals pretending to be high ranked officials and get them to divulge confidential information.
2. Dumpster Diving
Dumpster diving is gathering information which has been discarded by a company to a dumpster. Things like discarded policy manuals, calendars, outdated hardware, memos and letter provide a huge amount of information to a hacker.
3. Phising
In a phising scam, the hacker sends the victim an email, usually alerting him about changing his password to a certain website or even just asking them to login to a certain website where they have their account, like facebook, yahoo or some bank website. The scammer then provides a link in the email, which will supposedly carry the victim to the website mentioned in the email. The link instead carries the victim to a fake website which looks exactly like the original website. The difference though is that this website is designed by the scammer to forward the login information to him.
4. Reverse Social Engineering
Reverse social engineering is the smartest technique of social engineering which has the best probability of getting results to the hacker. In this technique the attacker sets up the system such that the victim comes to him asking for help. Since the victim himself is asking for directions he can be manipulated at will. Reverse social engineering consists of three steps, sabotage, advertising and assisting. First the attacker sabotages the system and causes a problem to arise. He then advertises himself as the person who can fix the problem. This makes people come to him asking for help. He then helps the people fix the problem he himself had created and in the process extracts confidential information bit by bit from them.
Friday, November 12, 2010
Elliptic Curves
Public key cryptography, also known as asymmetric cryptography is widely used now days in distributed environments. From key distribution to secure communication and message signing, public key cryptography is everywhere. However, public key algorithms generally are power hungry and clearly not suitable for wireless sensors. Over the last few years Elliptic curve cryptography (ECC) has emerged as an attractive and viable public key system for constrained environments. An elliptic curve E can be defined as points on the equation of the form y2 =x3+ax +b, along with a point at infinity. Here a and b are real numbers and 4a3 + 27b2 ≠ 0(mod p), p is a prime number greater than 3. This condition makes the curve defined by the above equation to be non singular. The graph of a non singular curve has two components if the discriminant is positive and one if the discriminant is negative. An example of the elliptic curve used in practice is shown below
y2 = x3 + 317689081251325503476317476413827693272746955927x
+ 79052896607878758718120572025718535432100651934
This elliptic curve is used in the Microsoft Windows Media Digital Rights Management Version 2.
The points on an elliptic curve form an abelian group. An abelian group exhibits the following characteristics. We'll see how each of these properties is satisfied by an elliptic curve.
(1) has a group operator
(2) has an identity element with respect to the operator
(3) exhibits closure and associativity with respect to the operator
(4) exhibits commutative property
(4) the existence of inverses with respect to the operator.
GROUP OPERATOR
The group operator defined on the points on an elliptic curve is known as addition. Geometrically the addition of two points on the curve takes place as follows.
Let there be two points P and Q on the elliptic curve, to add these points a straight line is drawn which passes through the two points. This straight line may or may not intersect the curve at a third point. If it does, then a mirror image of this point is taken on the x axis and this point R is called the sum of P and Q. If the line does not intersect the curve at a third point, we say the sum is the point at infinity.
Algebraically
If we have two points P(xP,yP) and Q(xQ,yQ), then the point R(xR,yR)=P+Q is given by
s = (yP - yQ) / (xP - xQ)
xR = s2 - xP - xQ and yR = -yP + s(xP - xR)
xR = s2 - xP - xQ and yR = -yP + s(xP - xR)
Point doubling is done as below
2P = R where
s = (3xP2 + a) / (2yP )
xR = s2 - 2xP and yR = -yP + s(xP - xR)
s = (3xP2 + a) / (2yP )
xR = s2 - 2xP and yR = -yP + s(xP - xR)
The point at infinity acts as the identity element of the group, therefore, P + O = P.
INVERSE
The additive inverse of a point is its mirror image across the x axis. Let’s assume we have a point P and its inverse -P which is its mirror image across the s axis. A straight line passing through these two points will be parallel to the y axis and thus will never intersect the curve at any other point. Which implies that P + (-P) = O. So we have a valid inverse operation.
CLOSURE
We can see from the above discussion that the addition operation will only produce points which are on the elliptic curve, which satisfies the closure property.
COMMUTATIVE PROPERTY
Geometrically it’s easy to see that two points P and Q will define the same straight line, irrespective of the order. This implies that irrespective of the order the straight line will intersect the curve at the same point and thus produce the same result for P+Q and Q+P.
ASSOCIATIVITY
The proof for associativity is a tedious one which I am skipping here because it’s not relevant to the matter at hand. It should suffice here to say that the group defined by, the points on the elliptic curve obeys the associativity rule.
REFERENCES
Friday, October 22, 2010
The Spyware Report
For my Trustworthy Networks course, we had to write a report on a malware and I chose to write mine on Spyware. Every few days you find somebody who's talking about how slow his computer has become and everyone including me blames it on buggy software and slow hardware. It’s not until the spyware becomes very obvious and starts showing itself up that we realize what the real problem is. Did you know that 80% of the computers connected to the internet have some sort of spyware installed on them and 9 out of 10 people don’t even know they have spyware? The total financial loss caused by spyware in 2007 was $1.7 billion in US alone!
Spyware is annoying, really annoying but that’s not the worst thing about it. Spyware is growing like anything, so much so that it has left its older cousins the virus and the worm far far behind in internet penetration. And surprise surprise, did you think spyware was illegal like the worm and virus? If you did you were wrong. Current law in most places deems spyware legal. Not that the lawmakers want spyware to be legal, but the spyware makers make use of the loopholes in the law.
I came upon a number of interesting facts, figures and technologies when I was writing my report. A copy of that report can be found here. I have tried to make it easier to read for a non technical person while at the same time trying to fulfill the objective of a technical report. Hope somebody finds it useful.
Wednesday, September 8, 2010
Coding Standards
Let’s start with the very basic, the coding standards. You don’t find them in a lot of programming books but believe it or not coding standards go a long way in improving your coding efficiency. It’s always better to develop good habits early than try and correct them later like I did. Coding standards are very easy to ignore as they don’t seem to hold any practical value, but if brought into practice can save you a lot of time in debugging and can make your code much more readable.
1. Naming those variables.
Spend a little time in naming your variables. These variables will be littered all over your code, and if you name them intelligently they can help make your code more readable. Not only does “int loopCounter” manages to convey its purpose in a much better way than “ int a”, it helps you keep track of the code when it spans thousands of lines. A number of conventions exist namely camelBack, underscore_notation and the Hungarian notation for naming the variables. The important thing to keep in mind though is to choose one of them and be consistent throughout your code. Do not switch from one notation to the other in a program, it makes the code confusing and difficult to read.
CamelBack int loopCounter
underscore_notation int loop_counter
Hungarian int iLoopCounter
2. Indentation
Indentation again is one of those things which are easy to miss. Indentation makes your code look well structured, easy to understand and helps in debugging. Indent whenever you start a block of code like a function or an if,else,while,for etc.
3. Comments
For a lot of people including me comments are a pain in the A, but make no mistakes they are useful. They come in really handy when you look at your code after a break of a few days. Also, your code will be easier to understand for someone other than you. I have seen people suffering, while having to work with totally uncommented code. Commenting is a good habit and comment as much as you can even at places, where you think they will be useless.
There are a few more of these standards, but these three are the very basic ones. Writing code which is readable and nicely formatted is always a good thing, I hope these standards help you do that.
Happy Coding!
(Thanks to Dylan for giving me these tips and also for making me realize how important these are.)
Subscribe to:
Posts (Atom)