Adama University Department of Computer Science

CHAPTER FIVE

Computer Security

Computer Security is technique developed to safeguard information and information

systems stored on computers. Potential threats include the destruction of computer
hardware and software and the loss, modification, theft, unauthorized use, observation, or
disclosure of computer data.

Computers and the information they contain are often considered confidential systems
because their use is typically restricted to a limited number of users. This confidentiality
can be compromised in a variety of ways.
For example, people who spread computer viruses and worms can harm computers and
computer data.

5.1 Malicious codes

5.1.1 Viruses

Virus is self-duplicating computer program that interferes with a computer's hardware or

operating system (the basic software that runs the computer). Viruses are designed to
duplicate or replicate them to avoid detection. Like any other computer program, a virus
must be executed for it to function—that is, it must be located in the computer's memory,
and the computer must then follow the virus's instructions. These instructions are called
the payload of the virus. The payload may disrupt or change data files, display an
irrelevant or unwanted message, or cause the operating system to malfunction.

How Infections Occur

Computer viruses activate when the instructions—or executable code—that run programs
are opened. Once a virus is active, it may replicate by various means and tries to infect
the computer’s files or the operating system. For example, it may copy parts of itself to
floppy disks, to the computer’s hard drive, into legitimate computer programs, or it may
attach itself to e-mail messages and spread across computer networks by infecting other
shared drives. Infection is much more frequent in PCs than in professional mainframe
systems because programs on PCs are exchanged primarily by means of floppy disks, e-
mail, or over unregulated computer networks.

Viruses operate, replicate, and deliver their payloads only when they are run. Therefore,
if a computer is simply attached to an infected computer network or downloading an
infected program, it will not necessarily become infected. Typically a computer user is
not likely to knowingly run potentially harmful computer code. However, viruses often
trick the computer's operating system or the computer user into running the viral
program.

Some viruses have the ability to attach themselves to otherwise legitimate programs. This
attachment may occur when the legitimate program is created, opened, or modified.
1
CSIT 100 Information & Communication Technology
Adama University Department of Computer Science

When that program is run, so is the virus. Viruses can also reside on portions of the hard
disk or floppy disk that load and run the operating system when the computer is started,
and such viruses thereby are run automatically. In computer networks, some viruses hide
in the software that allows the user to log on (gain access to) the system.

With the widespread use of e-mail and the Internet, viruses can spread quickly. Viruses
attached to e-mail messages can infect an entire local network in minutes.

Types of Viruses

There are five categories of viruses: parasitic or file viruses, bootstrap sector, multi-
partite, macro, and script viruses.

Parasitic or file viruses infect executable files or programs in the computer. These files
are often identified by the extension .exe in the name of the computer file. File viruses
leave the contents of the host program unchanged but attach to the host in such a way that
the virus code is run first. These viruses can be either direct-action or resident. A direct-
action virus selects one or more programs to infect each time it is executed. A resident
virus hides in the computer's memory and infects a particular program when that program
is executed.

Bootstrap-sector viruses reside on the first portion of the hard disk or floppy disk,
known as the boot sector. These viruses replace either the programs that store information
about the disk's contents or the programs that start the computer. Typically, these viruses
spread by means of the physical exchange of floppy disks.

Multi-partite viruses combine the abilities of the parasitic and the bootstrap-sector
viruses, and so are able to infect either files or boot sectors. These types of viruses can
spread if a computer user boots from an infected diskette or accesses infected files.

Other viruses infect programs that contain powerful macro languages (programming
languages that let the user create new features and utilities). These viruses, called macro
viruses, are written in macro languages and automatically execute when the legitimate
program is opened.

Script viruses are written in script programming languages, such as VBScript (Visual
Basic Script) and JavaScript. These script languages can be seen as a special kind of
macro language and are even more powerful because most are closely related to the
operating system environment. The "ILOVEYOU" virus, which appeared in 2000 and
infected an estimated 1 in 5 personal computers, is a famous example of a script virus.

5.1.2 Worms

Worm is a program that propagates itself across computers, usually by spawning copies
of itself in each computer's memory. A worm might duplicate itself in one computer so
often that it causes the computer to crash. Sometimes written in separate “segments,” a
worm is introduced surreptitiously into a host system either for “fun” or with intent to

2
CSIT 100 Information & Communication Technology
Adama University Department of Computer Science

damage or destroy information. The term comes from a science-fiction novel and has
generally been superseded by the term virus. Worms can form segments across a network
and damage the network by using its resources (memory space) highly. The segments of
worms across a network can communicate strengthen their damage.

5.1.3 Trojan Horses

There are other harmful computer programs that can be part of a virus but are not
considered viruses because they do not have the ability to replicate. These programs fall
into three categories: Trojan horses, logic bombs, and deliberately harmful or malicious
software programs that run within Web browsers, an application program such as Internet
Explorer and Netscape that displays Web sites.

A Trojan horse is a program that pretends to be something else. A Trojan horse may
appear to be something interesting and harmless, such as a game, but when it runs it may
have harmful effects. The term comes from the classic Greek story of the Trojan horse
found in Homer’s Iliad.

5.1.4 Bombs
A bomb infects a computer’s memory, but unlike a virus, it does not replicate itself. A
logic bomb delivers its instructions when it is triggered by a specific condition, such as
when a particular date or time is reached or when a combination of letters is typed on a
keyboard. A logic bomb has the ability to erase a hard drive or delete certain files.

Malicious software programs that run within a Web browser often appear in Java applets
and ActiveX controls. Although these applets and controls improve the usefulness of
Web sites, they also increase a vandal’s ability to interfere with unprotected systems.
Because those controls and applets require that certain components be downloaded to a
user’s personal computer (PC), activating an applet or control might actually download
malicious code.

5.2 Techniques to Reduce Security problems

5.2.1 Backup

Storing backup copies of software and data and having backup computer and
communication capabilities are important basic safeguards because the data can then be
restored if it was altered or destroyed by a computer crime or accident. Computer data
should be backed up frequently and should be stored nearby in secure locations in case of
damage at the primary site. Transporting sensitive data to storage locations should also be
done securely.

5.2.2 Encryption

3
CSIT 100 Information & Communication Technology
Adama University Department of Computer Science

Another technique to protect confidential information is encryption (Encryption, process

of converting messages or data into a form that cannot be read without decrypting or
deciphering it. The root of the word encryption—crypt—comes from the Greek word
kryptos, meaning “hidden” or “secret.”)
Computer users can scramble information to prevent unauthorized users from accessing
it. Authorized users can unscramble the information when needed by using a secret code
called a key. Without the key the scrambled information would be impossible or very
difficult to unscramble. A more complex form of encryption uses two keys, called the
public key and the private key, and a system of double encryption. Each participant
possesses a secret, private key and a public key that is known to potential recipients. Both
keys are used to encrypt, and matching keys are used to decrypt the message. However,
the advantage over the single-key method lies with the private keys, which are never
shared and so cannot be intercepted. The public key verifies that the sender is the one
who transmitted it. The keys are modified periodically, further hampering unauthorized
unscrambling and making the encrypted information more difficult to decipher

5.2.3 Approved users

Another technique to help prevent abuse and misuse of computer data is to limit the use
of computers and data files to approved persons. Security software can verify the identity
of computer users and limit their privileges to use, view, and alter files. The software also
securely records their actions to establish accountability. Military organizations give
access rights to classified, confidential, secret, or top-secret information according to the
corresponding security clearance level of the user. Other types of organizations also
classify information and specify different degrees of protection.

5.2.4 PASSWORDS

Passwords are confidential sequences of characters that allow approved persons to make
use of specified computers, software, or information. To be effective, passwords must be
difficult to guess and should not be found in dictionaries. Effective passwords contain a
variety of characters and symbols that are not part of the alphabet. To thwart imposters,
computer systems usually limit the number of attempts and restrict the time it takes to
enter the correct password.

A more secure method is to require possession and use of tamper-resistant plastic cards
with microprocessor chips, known as “smart cards,” which contain a stored password that
automatically changes after each use. When a user logs on, the computer reads the card's
password, as well as another password entered by the user, and matches these two
respectively to an identical card password generated by the computer and the user's
password stored in the computer in encrypted form. Use of passwords and "smart cards"
is beginning to be reinforced by biometrics, identification methods that use unique
personal characteristics, such as fingerprints, retinal patterns, facial characteristics, or
voice recordings.

4
CSIT 100 Information & Communication Technology
Adama University Department of Computer Science

5.2.5 FIREWALLS

Computers connected to communication networks, such as the Internet, are particularly

vulnerable to electronic attack because so many people have access to them. Using
firewall computers or software placed between the networked computers and the network
can protect these computers. The firewall examines, filters, and reports on all information
passing through the network to ensure its appropriateness. These functions help prevent
saturation of input capabilities that otherwise might deny usage to legitimate users, and
they ensure that information received from an outside source is expected and does not
contain computer viruses.

5.2.6 Intrusion Selection Systems

Security software called intrusion detection systems may be used in computers to detect
unusual and suspicious activity and, in some cases, stop a variety of harmful actions by
authorized or unauthorized persons. Abuse and misuse of sensitive system and
application programs and data such as password, inventory, financial, engineering, and
personnel files can be detected by these systems

5.2.7 Application Safeguards

The most serious threats to the integrity and authenticity of computer information come
from those who have been entrusted with usage privileges and yet commit computer
fraud. For example, authorized persons may secretly transfer money in financial
networks, alter credit histories, sabotage information, or commit bill payment or payroll
fraud. Modifying, removing, or misrepresenting existing data threatens the integrity and
authenticity of computer information. For example, omitting sections of a bad credit
history so that only the good credit history remains violates the integrity of the document.
Entering false data to complete a fraudulent transfer or withdrawal of money violates the
authenticity of banking information. Using a variety of techniques can prevent these
crimes. One such technique is check summing. Check summing sums the numerically
coded word contents of a file before and after it is used. If the sums are different, then the
file has been altered. Other techniques include authenticating the sources of messages,
confirming transactions with those who initiate them, segregating and limiting job
assignments to make it necessary for more than one person to be involved in committing
a crime, and limiting the amount of money that can be transferred through a computer.
This application safeguards is anticorruption software.

5.2.8 Disaster Recovery Plans

Organizations and businesses that rely on computers need to institute disaster recovery
plans that are periodically tested and upgraded. This is because computers and storage
components such as diskettes or hard disks are easy to damage. A computer's memory
can be erased or flooding, fire, or other forms of destruction can damage the computer’s
hardware. Computers, computer data, and components should be installed in safe and

5
CSIT 100 Information & Communication Technology
Adama University Department of Computer Science

locked facilities

5.2.9 Anti-viral Tactics

Preparation and Prevention

Computer users can prepare for a viral infection by creating backups of legitimate
original software and data files regularly so that the computer system can be restored if
necessary. Viral infection can be prevented by obtaining software from legitimate sources
or by using a quarantined computer to test new software—that is, a computer not
connected to any network. However, the best prevention may be the installation of
current and well-designed antiviral software. Such software can prevent a viral infection
and thereby help stop its spread.

Virus Detection

Several types of antiviral software can be used to detect the presence of a virus. Scanning
software can recognize the characteristics of a virus's computer code and look for these
characteristics in the computer's files. Because new viruses must be analyzed as they
appear, scanning software must be updated periodically to be effective. Other scanners
search for common features of viral programs and are usually less reliable. Most antiviral
software uses both on-demand and on-access scanners. On-demand scanners are launched
only when the user activates them. On-access scanners, on the other hand, are constantly
monitoring the computer for viruses but are always in the background and are not visible
to the user. The on-access scanners are seen as the proactive part of an antivirus package
and the on-demand scanners are seen as reactive. On-demand scanners usually detect a
virus only after the infection has occurred and that is why they are considered reactive.

Antivirus software is usually sold as packages containing many different software

programs that are independent of one another and perform different functions. When
installed or packaged together, antiviral packages provide complete protection against
viruses. Within most antiviral packages, several methods are used to detect viruses.
Check summing, for example, uses mathematical calculations to compare the state of
executable programs before and after they are run. If the checksum has not changed, then
the system is uninfected. Check summing software can detect an infection only after it
has occurred, however. As this technology is dated and some viruses can evade it, check
summing is rarely used today.

Most antivirus packages also use heuristics (problem-solving by trial and error) to detect
new viruses. This technology observes a program’s behavior and evaluates how closely it
resembles a virus. It relies on experience with previous viruses to predict the likelihood
that a suspicious file is an as-yet unidentified or unclassified new virus.

Other types of antiviral software include monitoring software and integrity-shell

software. Monitoring software is different from scanning software. It detects illegal or
potentially damaging viral activities such as overwriting computer files or reformatting

6
CSIT 100 Information & Communication Technology
Adama University Department of Computer Science

the computer's hard drive. Integrity-shell software establishes layers through which any
command to run a program must pass. Check summing is performed automatically within
the integrity shell, and infected programs, if detected, are not allowed to run.

Containment and Recovery

Once a viral infection has been detected, it can be contained by immediately isolating
computers on networks, halting the exchange of files, and using only write-protected
disks. In order for a computer system to recover from a viral infection, the virus must first
be eliminated. Some antivirus software attempts to remove detected viruses, but
sometimes with unsatisfactory results. More reliable results are obtained by turning off
the infected computer; restarting it from a write-protected floppy disk; deleting infected
files and replacing them with legitimate files from backup disks; and erasing any viruses
on the boot sector.

VIRAL STRATEGIES

The authors of viruses have several strategies to circumvent ant virus software and to
propagate their creations more effectively. So-called polymorphic viruses make
variations in the copies of themselves to elude detection by scanning software. A stealth
virus hides from the operating system when the system checks the location where the
virus resides, by forging results that would be expected from an uninfected system. A so-
called fast-infector virus infects not only programs that are executed but also those that
are merely accessed. As a result, running antiviral scanning software on a computer
infected by such a virus can infect every program on the computer. A so-called slow-
infector virus infects files only when the files are modified, so that it appears to check
summing software that the modification was legitimate. A so-called sparse-infector
virus infects only on certain occasions—for example, it may infect every tenth program
executed. This strategy makes it more difficult to detect the virus.

By using combinations of several virus-writing methods, virus authors can create more
complex new viruses. Many virus authors also tend to use new technologies when they
appear. The anti virus industry must move rapidly to change their antiviral software and
eliminate the outbreak of such new viruses

7
CSIT 100 Information & Communication Technology