 Integrity

 Integrity can refer to either system integrity or data

integrity.
 Data maintains its integrity if the receiver of the data

can verify that the data have not been modified; in

addition, no one should be able to substitute fake
data.

05/25/20 2
 Confidentiality refers to data and is provided when
only intended recipient(s) can read the data.
 Anyone other than the intended recipients either

cannot retrieve the data because of access mechanism

protections, or other means, such as encryption,
protect the data even if they are stolen or intercepted.

05/25/20 3
Non repudiation is a property of data and means that
the sender should not be able to falsely deny (i.e.,
repudiate) sending the data.
 This property is important for electronic commerce

because vendors do not want clients to be able to

deny that they made purchases and thus must pay for
any services or goods they received.

05/25/20 4
 Availability is a property of systems where a third party
with no access should not be able to block legitimate
parties from using a resource.
 There have been numerous DoS attacks; notable ones include “syn
flood,” “smurf,” “ping of death.
 The “syn flood” attack creates many “halfopen” Transmission
Control Protocol (TCP) connections so that the target computer no
longer accepts any new connections.
 The “smurf” attack sends an Internet Control Message Protocol
(ICMP) packet to a broadcast address resulting in a large number
of replies, flooding a local network.

05/25/20 5
 Detectability

 One problem associated with wireless communication is detectability.

Non mobile users typically do not face this problem.
 In some circumstances, the mobile users do not want their wireless
system to be detected, and this is part of the reason they are mobile.
 Even if strong encryption is used and the data cannot be deciphered,
the mere presence of the signal can put the user at risk.
 If the enemy can detect the signal and locate its position, the device can
be jammed by local radio frequency (RF) interference, the soldier can
be captured by troops sent to that location, or he can be killed by
remote weapons that target that location (e.g., bombs, artillery shells,
etc.).

05/25/20 6
 Another problem unique to mobile systems is that the resources
often are very limited.
 To keep the mobile unit small and lightweight, the designers
often make compromises. The CPU speed may be an order of
magnitude or more slower than that of conventional desktop
machines.
 The network bandwidth may be similarly limited.
 The biggest constraint on these systems is the battery. Often
these systems run on internal batteries because AC power is not
available owing to location (e.g., being outside) or because they
are moving continually and would require a very long and
impractical extension cord.
 This leaves these devices open to resource-depletion and
exhaustion attacks.

05/25/20 7
 One major difference between wired and wireless
systems is the ease of physical intercept of the signal.
 In wireless systems, the signal is broadcast through

the air, where any receiver can intercept it.

 In general, the approaches to mitigate this problem

involve directional antennas, low-power

transmissions, and frequency-hopping/spread-
spectrum technology at the physical layer and
encryption techniques at higher layers.

05/25/20 8
 A final problem we will discuss is theft of service.
While this problem has plagued computer systems
seemingly forever, wireless systems are particularly
prone to it. Normally, a system requires a user name
and password to gain access to it.

05/25/20 9
 There is a whole class of war terms that originate
from the term war dialing. Back in the 1980s, before
the widespread popularity of the Internet, hackers
and crackers would search for phone numbers with
modems attached to them by using programs they
would dial every number in an exchange and listen
for the modem tones.

05/25/20 10
 War walking and similar variants (e.g., war
flying) reflect different modes of
transportation. In this case, the term refers to
scanning for wireless networks by using a
lightweight computer (personal digital
assistant or palmtop or small laptop) and
walking around an area

05/25/20 11
 War driving is the wireless equivalent of war dialing.
The technique involves taking a computer with a
wireless card running some detection software
[netstumbler, kismet, airsnort, wardriving] and
optionally a Global Positioning System (GPS) and
driving around a city. The softwar detects the
presence of wireless networks, and the GPS gives the
location for later reference.

05/25/20 12
 One other variant that started to become popular in
2002 is war chalking, which is the practice of
marking the presence of wireless networks with chalk
either on sidewalks or on the sides of buildings.
 The three symbols shown in Figure represent an open

network, a closed network, and a Wired Equivalent

Privacy (WEP) password protected network.

05/25/20 13
05/25/20 14
One of the essential characteristics of mobile
computing is that the locations of the nodes change.
 Mobility provides many freedoms, but it also

increases several security risks. Dynamically

changing routes, potential lack of a trusted path,
disconnected operation, and power limitations all
increase the security risks.

05/25/20 15
 ad hoc networks must propagate messages from one
wireless station to the next until they reach the destination
or a border (typically the Internet).
 Ad hoc networks form on the fly, without a fixed
infrastructure.
 Data in ad hoc networks typically pass through several other
ad hoc nodes. Typically, there is no guarantee as to the
identity of these intermediate nodes, so “man in the middle”
attacks can be used to copy or corrupt data in transit.
 Because nodes are mobile, the route between any two nodes
is dynamic, even if the endpoints are stationary.

05/25/20 16
 A route between two nodes can be disabled by two
malicious nodes that share a common segment along
the route. In an ad hoc network, key routing nodes
can be disabled via a resource-exhaustion attack in
this manner.
 ARP Spoofing
 ARP cache posioning

05/25/20 17
 One problem when using encryption or authentication is
key management, which involves creating, sharing,
storing, and revoking encryption keys.
 Public key encryption is one way to avoid needing a

key exchange. If a symmetric key algorithm is used,

then the two endpoints must agree on a key, either via a
key-exchange protocol, such as IKE or DiffieHellman,
[IKE, Diffie-Hellman or decide on a key a priority.

05/25/20 18
 Reconfiguring poses another problem in ad hoc
networking.
 Because ad hoc networks are, by nature, dynamic, as

nodes move they go out of radio contact with some

nodes and come into contact with other nodes.
 The network topology itself changes over time. This

means that a previous route from node X to node Y

may no longer work.
 Ad hoc routing algorithms must be able to

reconfigure the underlying view of the network

dynamically.

05/25/20 19
 The mobile environment is often more hostile than
the non mobile one.
 In a non-mobile environment, physical boundaries

and barriers have more meaning and change less

frequently. In a mobile environment, eavesdropping
is easier.
 Physical locations often are not secured, e.g., coffee

shops and airports, and nodes go in and out of contact

regularly

05/25/20 20
 Electronic commerce is a prime application of and
domain for mobile computing.
 The vast commercial potential for this drives the

development and deployment of the technology,

making common place mobile computing a reality.
 Generally, security is at odds with convenience, and

in a commercial market, convenience takes

precedence

05/25/20 21
Currently, liability issues relating to computer
security are still being determined.
 Not only do computers contain potentially useful

information, such as customer credit card numbers,

but machines on the Internet also can be used as
spring boards to launch attacks on other Internet
computers.
 Some businesses have been sued because of their

lack of “due diligence” by not installing patches,

antivirus software, and similar protection.

05/25/20 22
 Another aspect of electronic commerce is the
“intangibles” from public perceptions.
 Companies that suffer from break-ins often are

reluctant to report them because of the fear that such

a report will hurt their reputations.
 Often, the costs of these break-ins simply are

included as the cost of doing business.

05/25/20 23
 “Man in the middle” attacks
 Replay attacks
 Buffer-overflow attacks

05/25/20 24