![Page 1: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/1.jpg)
CS475: Lecture 1Computer and Network
SecurityRachel Greenstadt
January 8, 2013
Wednesday, January 9, 2013
![Page 2: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/2.jpg)
Introductions
• Your name
• Year at drexel
• Why interested in Computer Security and CS 475?
• Something else interesting about you
Wednesday, January 9, 2013
![Page 3: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/3.jpg)
High Level Information
• Instructor: Rachel Greenstadt
• Office: UC 140
• Office Hours (Wednesday 2-3 pm)
• Feel free to email or stop by
• Course website
• http://www.cs.drexel.edu/~greenie/cs475/
Wednesday, January 9, 2013
![Page 4: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/4.jpg)
Overview
• Current Events in “Computer and Network Security” (far from complete)
• About CS 475
• Security Reviews
Wednesday, January 9, 2013
![Page 5: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/5.jpg)
Computer security is an oxymoron
• We like to talk about crypto --- it’s the only thing we’ve got that really works
• Software is not secure
• Networks are not secure
• Trust infrastructures are not secure
• And users...well....I think I might have a bank in Nigeria to sell to you
Wednesday, January 9, 2013
![Page 6: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/6.jpg)
Crypto is hard: Debian
• The following lines were removed from md_rand.c
• valgrind and purify (useful debugging tools) complained about uninitialized memory
• As a result, randomness in debian generated keys (SSL and SSH) was reduced to 15 bits (32,768 unique keys) and cryptographic ops were suspect
MD_Update(&m,buf,j);[ .. ]MD_Update(&m,buf,j); /* purify complains */
Wednesday, January 9, 2013
![Page 7: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/7.jpg)
Randomness is Really Hard
• Large scale analysis of keys on the Internet
Wednesday, January 9, 2013
![Page 8: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/8.jpg)
CVE vulnerabilities
• ~5,000 per year since 2005
• 1700-3000 high severity (remote system compromise without user action)
Wednesday, January 9, 2013
![Page 9: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/9.jpg)
Web 2.0 is a sewerInternet users can be infected simply by viewing a compromised website.
Wednesday, January 9, 2013
![Page 10: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/10.jpg)
Data Protection doesn’t exist
• Data aggregators compile in-depth dossiers on everyone
• Choicepoint sold 163,000 record to identity thieves in 2005
• Often this data is lost, stolen, or misused
• See Petraeus, David
• Privacy Rights Clearinghouse documents the loss of 246,134,559 sensitive records since 2005
Wednesday, January 9, 2013
![Page 11: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/11.jpg)
Privacy in Apps?
• iOS plaintext file keeping track of fine-grained location info
• Malicious apps accessing address books, making premium phone calls, sending text messages to pay services
• How many of you pay attention to permissions on apps you download?
Wednesday, January 9, 2013
![Page 12: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/12.jpg)
SQL Injection
Wednesday, January 9, 2013
![Page 13: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/13.jpg)
Govt Oppression 2.0
• Countrywide censorship via deep packet inspection, MiTM - Iran, China, Burma, etc
• But also US, Germany, Aus, UK, etc
• US companies leading the way
• Info warfare - Russia/Estonia 2007
Wednesday, January 9, 2013
![Page 14: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/14.jpg)
Or maybe it’s just the Internet [Lampson]• Attack from anywhere
• Sharing with anyone
• Automated infection
• Hostile code
• Hostile physical environment
• Hostile hosts
Wednesday, January 9, 2013
![Page 15: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/15.jpg)
The Malware Economy• Revenue sources: SPAM, phishing, stolen data (credentials, game items)
• Revenue conversion: money mules
• Enabled by: Botnets of infected machines
• Enabled by: Infection vectors: Drive-by-downloads, email attachments, removable media
• Enabled by: Automated exploit packs (mpack, etc)
• Enabled by: Malware writers
• Enabled by: Exploit writers
• Enabled by: Software vulnerabilities/bad release engineering
Wednesday, January 9, 2013
![Page 16: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/16.jpg)
What type of access to a computer overrides all security measures?
Wednesday, January 9, 2013
![Page 17: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/17.jpg)
About CS 475• This class is in Beta
• Considerable revamp this year
• Bug reports welcome (not exploits :) )
• This class is not comprehensive
• This class is meant to be challenging, but fun
Wednesday, January 9, 2013
![Page 18: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/18.jpg)
Inspirations and Acknowledgements• This class is based in part on
• Jeremy Johnson’s CS 475
• Dan Boneh’s CS 155
• Yoshi Kohno’s CSE 484
• Ron Rivest’s 6.857
• Radia Perlman’s CS 243
Wednesday, January 9, 2013
![Page 19: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/19.jpg)
What will we cover?
• Applied security topics, network and software attacks/defenses
• The “security mindset”
• Very light on cryptography
• Economics/usability/privacy/AI
Wednesday, January 9, 2013
![Page 20: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/20.jpg)
Prerequisites
• Learning on the fly - OK if you know what you’re getting into
• C, x86 and stack basics, network socket programming, some Java, operating system principles and machine organization, Unix clue and related software engineering tools, Math (algorithms, probability, exponentiation/modular arithmetic, proofs), critical and devious thinking skills
Wednesday, January 9, 2013
![Page 21: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/21.jpg)
Grading
• Quizzes 3 x 15%
• Projects: 4 x 10%
• Homeworks and participation 15%
Wednesday, January 9, 2013
![Page 22: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/22.jpg)
Late Submission Policy
• Turn in work on time
• Late assignments will be dropped 20% per day
• No make up exams
Wednesday, January 9, 2013
![Page 23: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/23.jpg)
Cheating Policy
• New department-wide cheating policy
• When in doubt, err on the side of transparency
• list collaborators and sources
• if you wonder if it’s ok, ask
Wednesday, January 9, 2013
![Page 24: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/24.jpg)
ProjectsDone in Groups of 2-3
• Project 1 : Application Security
• Project 2 : Cryptography
• Project 3 : Network Security
• Project 4 : Security Review
Wednesday, January 9, 2013
![Page 25: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/25.jpg)
Security: Whole System is Relevant
• Security requires a whole-system view
• Cryptography
• Implementation
• People
• Physical Security
• Everything in between
• “Security is only as strong as the weakest link”
• Many places to fail
Wednesday, January 9, 2013
![Page 26: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/26.jpg)
Security Properties
• Confidentiality
• Integrity
• Authenticity
• Availability
Wednesday, January 9, 2013
![Page 27: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/27.jpg)
Wednesday, January 9, 2013
![Page 28: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/28.jpg)
Wednesday, January 9, 2013
![Page 29: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/29.jpg)
Wednesday, January 9, 2013
![Page 30: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/30.jpg)
Wednesday, January 9, 2013
![Page 31: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/31.jpg)
Analyzing the Security of a System: Part 1
• First thing : Summarize the system clearly and concisely
• Absolutely critical
• Can’t summarize, how can you analyze? Ask:
• What are the systems’ goals?
• How does the system achieve them?
• Who are the players/stakeholders?
• What are their incentives?
Wednesday, January 9, 2013
![Page 32: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/32.jpg)
Analyzing the Security of a System: Part 2• Subsequent steps
• Identify assets: What do you wish to protect
• Identify adversaries and threats
• Identify vulnerabilities
• Calculate the risks
• Evaluate controls/mitigation strategies
• Iterate
Wednesday, January 9, 2013
![Page 33: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/33.jpg)
Assets• Need to know what you are protecting!
• Hardware: Laptops, servers, routers, PDAs, phones, ...
• Software: Applications, operating systems, database systems, source code, object code, ...
• Data and information: Data for running and planning your business, design documents, data about your customers, data about your identit
• Reputation, brand name
• Responsiveness
• Assets should have an associated value (e.g., cost to replace hardware, cost to reputation, how important to business operation)
Wednesday, January 9, 2013
![Page 34: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/34.jpg)
Adversaries• National governments
• Terrorists
• Thieves
• Business competitors
• Your supplier
• Your customer
• New York Times
• Your family members (parents, children)
• Your friends
• Your ex-friends
• ...
Wednesday, January 9, 2013
![Page 35: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/35.jpg)
Threats: What not HowVoting Machine Example
• Threats are actions by adversaries who try to exploit vulnerabilities to damage assets
• Spoofing identities: Attacker pretends to be someone else
• Tampering with data: Change outcome of election
• Denial of service: Attacker makes voting machines unavailable on election day
• Elevation of privilege: Regular voter becomes admin
• Specific threats depend on environmental conditions, enforcement mechanisms, etc
• You must have a clear understanding of how the system works
Wednesday, January 9, 2013
![Page 36: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/36.jpg)
Classifying Threats• By damage done to the assets
• Confidentiality, Integrity, Availability
• By source of attacks
• (Type of) insider
• (Type of) outsider
• Local attacker
• Remote attacker
• Attacker resources
• By the actions
• Interception
• Interruption
• Modification
• Fabrication
Wednesday, January 9, 2013
![Page 37: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/37.jpg)
Wednesday, January 9, 2013
![Page 38: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/38.jpg)
Identify Vulnerabilities or Weaknesses
• How things can go wrong, not what
• Weaknesses of a system that can be exploited to cause damage
• Accounts with system privileges where the default password has not been changed (Diebold: 1111)
• Programs with unnecessary privileges
• Programs with known flaws
• Known problems with cryptography
• Weak firewall configurations that allow access to vulnerable services
• ...
Wednesday, January 9, 2013
![Page 39: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/39.jpg)
Risk Analysis• Quantitative Risk Analysis
• Expected Loss = ValueOf(Asset) * Prob(Vulnerability) * Prob(Threat)
• Hard to assign ValueOf (monetary?) and Probabilities
• Qualitative Risk Analysis
• Assets: Critical, very important, important, not important
• Vulnerabilities: Has to be fixed soon, should be fixed, fix if convenient
• Threats: Very likely, likely, unlikely, very unlikely
• Which of the attacks we discussed Thursday were a result of getting this wrong?
Wednesday, January 9, 2013
![Page 40: CS475: Lecture 1 Computer and Network Securitygreenie/cs475/CS475-13-01.pdfThe Malware Economy • Revenue sources: SPAM, phishing, stolen data (credentials, game items) • Revenue](https://reader031.vdocuments.site/reader031/viewer/2022013021/5f026a217e708231d4042904/html5/thumbnails/40.jpg)
Homework 1
• Due Jan 17
• Security review of Snapchat
Wednesday, January 9, 2013