computer security offense and defense best practices ethics/dfei... · 2018-04-18 · computer...
Post on 12-Mar-2020
5 Views
Preview:
TRANSCRIPT
Computer Security Offense and Defense –
Best Practices
Sang-Yoon Chang
Assistant Professor
Computer Science
1
This material was developed by Sang-Yoon Chang and is intended for classroom discussion rather than to illustrate effective or ineffective handling of administrative, ethical, or legal decisions by management. No permission or compensation is needed for classroom use as long as it is acknowledged to be the creative work of the author and the UCCS Daniels Fund Ethics Initiative. For publication or electronic posting, please contact the UCCS Daniels Fund Ethics Initiative at 1-719-255-5168. (2017)
2DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang
Computer network Wireless communication
Computer security Applied Cryptography
3DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang
Computer security Applied Cryptography
Coursera/MOOC!
Computer network Wireless communication
Teaching Computer Security at UCCS
CS 4910: Introduction to Computer Security
CS 4920/5920: Applied Cryptography
(OCS 4920/5920: Applied Cryptography)
CS 5960: Wireless & Embedded Sys. Security
4DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang
Computer Security – Two Sides of a Coin
5DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang
Education focuses on defense
Imperative to understand the offense
Learn concepts, techniques, and tools that can
be used for offense
Computer Security – Two Sides of a Coin
6DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang
Education focuses on defense
Imperative to understand the offense
Learn concepts, techniques, and tools that can
be used for offense
White hat Black hatGrey hat
From Hero to Prisoner
7DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang
Robert Morris (Morris worm), 1988: The 1st to
get sentenced by cyber security law and then
now a MIT professor
Marcus Hutchins, 2017: From stopping
WannaCry (ransomware) to getting arrested
Grey hat
Teaching Computer Security at UCCS
CS 4910: Introduction to Computer Security
CS 4920/5920: Applied Cryptography
(OCS 4920/5920: Applied Cryptography)
CS 5960: Wireless & Embedded Sys. Security
8DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang
Teaching Computer Security at UCCS
CS 4910: Introduction to Computer Security
CS 4920/5920: Applied Cryptography
(OCS 4920/5920: Applied Cryptography)
CS 5960: Wireless & Embedded Sys. Security
9DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang
Course Projects by UCCS Students
Keystroke logger
Wireless keyboard logger
Mobile malware
Fake base station
Network intrusion and detection
Denial of service (flooding)
Bluetooth Low Energy eavesdropping
Database security and SQL injection
Game console hack
Drone control security
Etc.
DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 10
CS 4910 Fall 2016 (Before DFEI)
I knew ethics was important
Lecture on ethics based on the textbook chapter
Lecture at the end of the course
(CS 3050 - Social and Ethical Implications of
Computing)
DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 11
CS 4910 Fall 2016 (After DFEI)
Significant adaption from the textbook chapter
Lecture earlier in the course on 11/2 (1 week
after Project Proposal)
Greater focus on responsible practice and
responsible disclosure
Also discussed about general legal enforcement
and ethical guidelines for computing artifacts
DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 12
CS 4910 Fall 2016 (After DFEI)
Significant adaption from the textbook chapter
Lecture earlier in the course on 11/2 (1 week
after Project Proposal)
Greater focus on responsible practice and
responsible disclosure
Also discussed about general legal enforcement
and ethical guidelines for computing artifacts
DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 13
Responsible Disclosure
After the finding of the security vulnerability or a threat, disclose it to the vendor or regulation body in advance
The Rules by Ad Hoc Committee for Responsible Computing
Used a case study to present dilemma
DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 14
Case Study: Remote Car Hack
Remote car hacking (remotely taking control
over car) using remote connection
Miller/Valasek in 2015 vs. UCSD/UW in 2010
Incidents presented in a reverse-chronological
order from 2015 to 2010
And then the reflections in 2015 and 2016
DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 15
Chrysler Jeep Hack Incident in 2015
Charlie Miller and Chris Valasek in 2015
Publicized in Wired and published at Blackhat
Patches: software and networking (Sprint)
Chrysler recall 1.4 million cars
Copycat attacks, e.g., on BMW and TESLA
https://www.wired.com/2015/07/hackers-
remotely-kill-jeep-highway/
DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 16
Before 2015
Miller and Valasek in Defcon 2013
UCSD and UW in2010 and 2011
(USC and Rutgers in 2010)
DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 17
Before 2015
Miller and Valasek in Defcon 2013
UCSD and UW in2010 and 2011
(USC and Rutgers in 2010)
DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 18
Before 2015
Miller and Valasek in Defcon 2013
UCSD and UW in2010 and 2011
(USC and Rutgers in 2010)
DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 19
But no disclosure of the vendors andno code/details to reproduce the work
Wired Article 2015
From Wired: https://www.wired.com/2015/09/gm-took-5-years-fix-full-takeover-hack-millions-onstar-cars/
“When a pair of security researchers shows they could hack a jeep over the Internet earlier this summer to hijack its brakes and transmission, the impact was swift and explosive…”
“But when another group of researchers quitelypulled off that same automotive magic trick five years earlier, their work was answered with exactly none of those reactions…”
“Took GM 5 years to fix”
“Far ahead of its time”
DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 20
UCSD/UW in 2016
S. Savage at Enigma: the first time that they disclosed the actual vendors and model
https://www.youtube.com/watch?v=oiFnjuOYz3k
”Provide knowledge about problems, create some incentives to act on that knowledge, and do so in a way that minimizes real harm”
”Very little capacity to deal with the problem at the federal and the manufacturer level [at the time]”
Impact: GM “gets security religion” (CSO, 100 employees); SAE (standardization), NTHSA (lab)
DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 21
Limited Disclosure 2010 vs. Coordinated
Disclosure 2015
Conscious decision to make limited disclosure
Why limited disclosure in 2010?
The timing is critical
Information technology vs. operational
technology
Cyber-physical systems
DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 22
Responsible Disclosure
After the finding of the security vulnerability or a threat, disclose it to the vendor or regulation body in advance
The Rules by Ad Hoc Committee for Responsible Computing
Used a case study to present dilemma
DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 23
Responsible Disclosure
After the finding of the security vulnerability or a threat, disclose it to the vendor or regulation body in advance
The Rules by Ad Hoc Committee for Responsible Computing
Used a case study to present dilemma
DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 24
Integrity Act with honesty Trust Trust with vendors, SAE, NHTSA, and DoTAccountability Responsible for the disclosure, or the non-disclosure, actionsTransparency Open/truthful interactions with vendors, SAE NHTSAFairness Consideration for the impact of the disclosureRespect Honor the property of vendors and the views of general publicRule of Law Research prototyping using owned possessionsViability Disclosure based on beliefs/values and raise awareness
Thank You
Sang-Yoon Chang
schang2@uccs.edu
http://www.uccs.edu/schang2
Thank you, DFEI!
25DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang
top related