Introduction to the course.

This work is partly funded by National Security Agency (NSA) MEPP grants # H98230-13-1-0158 and #H98230-14-1-0158 The work does not reflect the opinions of NSA.

Who are we?

• Instructor(s)– Radford University

• Prem Uppuluri, Joe Chase, Jeff Pittges

Dept. of Information Technology

– Shenandoah Valley Governor’s School:• Leonard Klein

• John York

– Southwest Virginia Governor’s School• Rick Fisher

• TAs: – Michael Ramos / ?

• Student in the B.S in CSAT program, Radford University

– ?

Why study cyber security?

Two reasonssecurity and privacy

Privacy

I Know What You Did last summer, this summer and a few minutes back.

Example: Your actions on the web are being monitored.

Ms. Alice (Smith) goes to Washington

This example is explained in the associated screen cast lecture using the Lightbeam add-on for Firefox browsers [https://addons.mozilla.org/en-US/firefox/addon/lightbeam/].

You are not as anonymous as you think.

[1] Citation: Balachander Krishnamurthy, Konstantin Naryshkin, Craig E. Wills, Privacy Leakage vs. Protection measures: the growing disconnect, W2SP 2011: Web 2.0 Security and Privacy, Oakland, CA 2011[2] Alessandro Acquisti and Ralph Gross, Predicting Social Security numbers from public data, Proceedings of the National Academy of Sciences of the United States of American (PNAS), July 6, 2009. http://www.pnas.org/content/early/2009/07/02/0904891106.full.pdf+html[3] Natasha Singer, “Mapping, and Sharing, the Consumer Genome”, Page BU1, The New York Times, June 17, 2012

• Full name, zip code, interests, queries made on websites (e.g., health queries), age [1]

• gender, race, weight, height, education level, household income, what you like to buy online [2]

• Geographic location (almost upto your street address)

– Example: Traceroute through your IP address.

• Social Security Number [2]

• What you are likely to buy in the near future?

• Your current location (with some smartphone apps or through status updates)

But I am not Famous…who will be interested in my profile?

If you are in the U.S and and an adult chances are high your profile is out there.

From just one such data aggregating company: “500 million active customers worldwide, with about 1,500 data

points per person. That includes a majority of

adults in the United States” [3] – New York Times

How is your online profile built.

• Cookies– Session cookies

– “Supercookies”

• Status messages on social networks.

• Web beacons.

• Clickjacking (http://javascript.info/tutorial/clickjacking)

• 3rd party applications

So what? Data aggregation is legal and I have nothing to hide….

• Leakage of private information about you has consequences. E.g., will you share these with any strangers? – Any illness you searched for online?

– Your driver’s license on the web?

– The videos you watched? The music you listen to?

– The books you browsed on a web-site?

– Pictures some one else took of you without your permission and now are tagged?

– Whether you are currently at home or at a restaurant?

• Moral: Browse safely.

Security

Internet and the lack of borders

• Challenges: – Attacks can be launched

• From anywhere

• By anyone (basement recreational hacker to nation-states)

– Attacks can cause real damage such as: • threaten national security and critical infrastructure

(healthcare, smart grids etc)

• massive economic damage:– Theft of intellectual property

– Shutting down operations

• Espionage

Internet and the lack of borders (2):Attacks can be launched from anywhere

• Can be launched from anywhere by anyone

– JP Morgan Chase [2014]: Russian hackers steal over 80 million accounts• According to The New York Times: Lose ties with the Russian Government.

– US Companies hacked by Chinese Military Officers (US accuses 5 Chinese military Officers) [2014] (Link: https://www.youtube.com/watch?v=PsAPTEN-oW4)

– GhostNet: • http://www.nytimes.com/2009/03/29/technology/29spy.html• Most computers from where attacks originated were in China• Targeted over 103 countries.

– Red October (From: http://www.cnet.com/news/red-october-malware-spies-on-governments-worldwide/)

• Attacks mobile devices, computer infrastructure from former USSR countries.

Internet and the lack of borders (4): can cause real damage

• Just a small sample of damages: – JP Morgan Chase Hack:

• Nearly 76 million households affected• News source: http://dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-

further-cyber-security-issues/

Internet and the lack of borders (5): can cause real damage

• Can threaten national security:– Video from:

http://www.youtube.com/watch?v=z4PGfZvIeeo&feature=PlayList&p=F9C41BF7FBD5CAD8&playnext=1&playnext_from=PL&index=9

And new threats are emerging… can they be exploited globally?

• Ted Talk by Avi Rubin © Ted Conferences LLC (distributed by them under creative common licenses)

Course syllabi• Topic 1: Ethics – What does it mean to be an ethical

cyber citizen?

• Topic 2: Know your enemy: who; why and how? attack?

• Topic 3: The Backbone of the Internet: – Linux; Windows; Networking; The Web

• Topic 4: Securing

• Topic 5: Forensics: catching the criminals.

How will the course be taught?

• Weekly exercises– Capture the flag contest – results will be private to you.– Each week, you will be given a series of online problems

• You can use a remote lab at Radford University with all tools needed to solve the problems.

– If you can’t solve the problem or the challenge refer to the lectures (next)

• Lectures: – Online/asynchronous videos/slides and material (each topic less than 10 minutes)– About 60 minutes of lectures per week (so about 6 recordings)– You can listen to these anytime, anywhere, on any device connected to the web

(lectures will be on Vimeo). You may want to listen to these as you are solving the challenges.

• Weekly meetings (2):– Meeting 1 (57 minutes): Meet me and ask any questions– Meeting 2 (57 minutes): Two Radford University undergraduates will challenge

you with interesting problems (e.g., hack a website, or fix a website or break a password login system or fix it etc.).

Who are computer security experts?

Dr. Dorothy Denning,Professor of Computer Science, Naval Postgraduate schoolAugusta Ada Lovelace AwardNational Computer Systems Security Award2004 Harold F Tipton Award Fellow of the Association of Computing Machinery

One of the most eminent cryptography and information security researchers.

Image © NPS – Naval Postgraduate School, information on this slide extracted from Wikipedia

Who are computer security experts?

Radia PerlmanEMC Inc.

Over 100 patents in networks and network securityInventor of the Minimum Spanning Tree Protocol

Image © Wikipedia; information on this slide extracted from Wikipedia

Who are computer security experts?

Bruce Schneier

American Cryptographer, Computer Security and Privacy SpecialistFellow, Berkman Center for Internet and Society at Harvard Law School

Blogger at www.schneier.com

Image © Wikipedia; information on this slide extracted from Wikipedia

What do security experts works as?

• What jobs? – Application security engineers

• Develop secure applications or secure software applications.

– [Network|Database|Application] Security Administrators• Administer secure software systems

– Pen-testers/Ethical Hackers/Security Analysts

– Risk assessment/management specialists

– Information Security Officers

– Security Engineers

A methodical look at security.

• Clearly securing a computing infrastructure can involve many things such as:– Installing anti-virus software, firewalls, intrusion detection systems.

– Encrypting data before sending it across a computer network.

– Creating hard-to-guess/break passwords.

– Putting door locks.

– Erasing a hard drive fully before recycling it..

• So when can we say: we are done – our infrastructure is secure? Can we in fact, ever claim that? What is the checklist we need to go through? Can securing infrastructure be captured in a checklist?

• Clearly we need to take a more methodical look at security.

Secure what? To accomplish what? • What are we trying to secure?

– Answer: Information/data.

• So what does securing information or data mean?– Answer: Achieve confidentiality, integrity and availability

of data/information.

– Referred to as CIA,

• Complaint: But what if I work for the CIA?

• Resolution: Ok then call it AIC.

• What security mechanisms can we use?– Answer: Usually categorized into three categories:

physical, administrative and technical.

Securing Data/Information: data or information is not just on a hard disk.

• Data/information exists in 3 different states:– Information stored on some media (e.g., hard drive or paper)

– Information in transit across a network, or

– Information that is being processed.

• Securing data/information involves securing information in all its three forms.

Stored data/information and example attacks.

Examples of stored information Example attacks

Web pages stored on hard drives. Web page defacement

Data stored in databases Unauthorized access; inference attacks.

Passwords stored on a disk Unauthorized access; unauthorized modifications

Data stored on paper Physical theft or eavesdropping.

Data stored on a solid state drive (MP3 player) or disk

Improper recycling of disks or solid state drives by not completely erasing them.

Information in transit and example attacks.

Examples of information/data in transit Example attacks

Password being sent across the internet to a web-server

Password interception, cracking, replay attack (capturing and reusing the password later).

Security critical information being transmitted across the network

Eavesdropping; tampering.

Sending malicious traffic across a network.

Internet worms

Data/Information when being processed and example attacks.

Next: defining goals of security.

Examples of information/data in transit Example attack/vulnerability

A login program/process is checking authentication data (passwords). The password is information that is being processed.

Process can be crashed, causing it to dump debug information (including password data being processed) into a file.

Injecting malicious data into a running process.

Buffer overflow (we will study this later).

Goals of security: Confidentiality, Integrity, Availability

• E.g., consider a bank. What should the bank building designers consider as their goals? – High level goals: protect their resources. E.g., Money., bank

account information, Social Security numbers.

– How should they be protected? – Money should not be stolen. This is called Integrity.

– Social Security Numbers must be private. Stealing them will allow the burglars to cause identity theft. This is called protecting the Confidentiality of information.

– Money should be available whenever a customer wants to withdraw. This is called availability.

Same with software …

• The three main goals of security (CIA) are:

– Confidentiality: • preventing unauthorized viewing of data/information.

– Example attack that violates this goal: wiretapping, packet sniffing.

– Integrity• Preventing unauthorized tampering or writing data/information.

– Example attack that violates this goal: Modifying data being sent across a network.

– Availability• Ensuring that data/information is available to

– Example attack that violates this goal: Crashing a website.

Goals of secure computing

To achieve CIA, we also identify some sub goals– Authentication

• Checking the identity of the entity (e.g. person) who wants to access (e.g., read or write) data/information.

• Example: Username/passwords

– Authorization• Checking the permissions of the entity (e.g., person) to access (e.g.,

read or write) data/information. • Example: File permissions on an operating system.

– Accountability• Log accesses to data/information by various entities (persons)• Example: Audit logs.

– Non-repudiation • Ensure that entities cannot deny a transaction.

• Example, a signature on a contract.

• Next: how can we achieve these goals?

Achieving goals of security: Controls/countermeasures

• Controls (also called countermeasures or security mechanisms): prevent or detect attacks against CIA.

• What are some of the attacks that you are familiar with?

Achieving goals of security: Controls/countermeasures (2)

• What are some of the attacks that you are familiar with?

• Now consider: how do they manifest?

Achieving goals of security: Controls/countermeasures (2)

All attacks can be categorized into three categories:

• Physical: – These exploit physical vulnerabilities. – Examples: stealing laptops, or catastrophic events.

• Administrative/human:– These exploit human vulnerabilities. – Examples: Social Engineering, knowingly or un-knowingly downloading malware,

visiting phishing websites.

• Technological/technical:– These exploit weaknesses/vulnerabilities in technology (primarily software)– Examples: Internet worms, denial of service (DOS)

• As a result, security mechanisms also fall into these three categories.

• Now consider: how do they manifest?

Achieving goals of security: Controls/countermeasures (4)

• Physical controls: securing against physical loss of data. – Includes controls against theft, vandalism, environmental issues

(floods, lightning etc.), improper disposal of electro-magnetic and other storage media (e.g., insecure erasure of hard drives), storage of physical keys and information.

• Administrative controls: – Security policies and procedures (e.g., acceptable usage of

corporate computers, business continuity plans, disaster recovery plans), personnel hiring (criminal background checks etc.),

• Technological security:– Secure design of software (applications, operating systems etc.),

secure programming, hardening software installations, and securing networks.

So which control to pick?

• Will selecting one or a few of the controls be enough?

• Clearly, no! Examples: – An internet worm exploits multiple vulnerabilities is a

system:• Software vulnerabilities

• Weaknesses in security mechanisms such as firewalls.

– Web security: • Assume a web site requires authentication. Is it secure? No!

What if a user has a weak password.

• Multiple controls are needed. This is referred to as defense in depth.

Security is holistic: These are the categories of controls we will study.

User

User

User Network

Desktops /Workstations/LA

NsUser

Applying

cryptography:

secure data in

transit and

storage

Applying

cryptography:

secure data in

transit and

storage

Secure/harden the network.

Secure software development &

hardening software

Administrative/human security (policies, plans,

procedures, user training)

Apply perimeter security (technological control)

Physical security