IS820 Computer Security
IS820 Computer Security
IS820 Computer Security
Lecture 1
IS820 Computer Security
1
Introduction to computer security
Some challenging fun projects
Learn about attacks
What’s this Learn about preventing attacks
Lectures on related topics
course about? Application and operating system security
Web security
Network security
2
Muhammad Yasir Khan
Over 19 years teaching experience to students of more than 15
countries
Taught Cisco based Networking, System Administration and Cyber
Instructor Security courses for more than 9 years in Gulf
Cisco Network Academy Instructor
Background
Program Office, Cyber Security Department
[email protected]
http://om.linkedin.com/in/myasir
3
This course covers fundamental issues and first principles of
security and information assurance.
Brief The course will look at the security policies, models and
Description mechanisms related to confidentiality, integrity, authentication,
identification, and availability issues related to information and
information systems.
4
A student passing this module should be able to:
Participants will understand the basic concepts in information
security, including security policies, security models and security
mechanisms.
Participants will get to know the concepts related to applied
cryptography, including plain-text, cipher-text, the four techniques
Learning for crypto-analysis, symmetric cryptography, asymmetric
cryptography, digital signature, message authentication code, hash
Outcomes functions, and modes of encryption operations
Participants will comprehend the concepts of malicious code,
including virus, Trojan horse, and worms
Participants will be able to understand the common vulnerabilities in
computer programs, including buffer overflow vulnerabilities, time-
of-check to time-of-use flaws, incomplete mediation
5
Assessment Plan Tentative Schedule
Assessment Marks No Activity Schedule
6
You will research an ethical hacking topic.
Topical Paper A research paper on a particular topic will be provided to each
student.
Presentation You will write a brief (5 pages) paper and give a short (5 minute)
(10%) presentation on the topic.
7
Lab activities will be performed during classes. Some activities will
be provided as home assignments.
Lab Lab assignments will reinforce lecture concepts and demonstrate
Assignments application of critical thinking skills.
(10%) Lab assignments are to be completed by each student.
8
Two OHTs will be conducted from the last three topics completed
One Hourly prior to their schedule.
TestS (OHT) Occasional quizzes will be used to reinforce concepts, check
student comprehension, and instigate discussion.
(30%) and
Missed OHT or to improve OHT marks, an extra OHT can be make
quizzes (10%) up for whole class and best of 2 marks can be considered.
9
The exam will consist of
multiple choice questions
short answer questions
Final scenario-based questions
10
Application and OS security (5 lectures)
Buffer overflow project
Vulnerabilities: control hijacking attacks, fuzzing
Prevention: System design, robust coding, isolation
Web security (4 lectures)
Web site attack and defenses project
Browser policies, session mgmt, user authentication
HTTPS and web application security
Course Network security (6 lectures)
Network traceroute and packet filtering project
Organization Protocol designs, vulnerabilities, prevention
Malware, botnets, DDoS, network security testing
A few other topics
Cryptography (user perspective), digital rights management, final
guest lecture, …
11
Please tell us
Your name
Your academic background
Introductions Your professional experience (if any)
Your research interests
Any of your achievement related to this program
12
13
System correctness
If user supplies expected input, system generates desired output
What is Security
security? If attacker supplies unexpected input, system does not fail in certain
ways
14
System correctness
Good input Good output
What is Security
security? Bad input Bad output
15
System correctness
More features: better
What is Security
security? More features: can be worse
16
Confidentiality
Information about system or its users cannot be learned by an
attacker
Security Integrity
The system continues to operate properly, only reaching states that
properties would occur if there were no attacker
Availability
Actions by an attacker do not prevent users from having access to
use of the system
17
Security is about
Honest user (e.g., Alice, Bob, …)
Dishonest Attacker
How the Attacker
Disrupts honest user’s use of the system (Integrity, Availability)
Learns information intended for Alice only (Confidentiality)
General
picture
System
Alice Attacker
18
Network
security
Network Attacker
System Intercepts and
controls network
communication
Alice
19
System
Web security
Web Attacker
Sets up malicious
site visited by
victim; no control
of network
Alice
20
Operating
system
security OS Attacker
Controls malicious
files and
applications
Alice
21
Confidentiality: Attacker does not learn Alice’s secrets
Integrity: Attacker does not undetectably corrupt system’s function for Alice
Availability: Attacker does not keep system from being useful to Alice
Security
Principles
System
Alice Attacker
22
23
Profile:
Male
Between 14 and 34 years of age
Computer addicted
Historical
hackers (prior
to 2000)
24
High school dropout
“…most of these people I infect are so stupid they really ain't got no
business being on the Internet in the first place.“
25
Nigerian letter (419 Scams) still works:
Michigan Treasurer Sends 1.2MUSD of State Funds !!!
Many zero-day attacks
Google, Excel, Word, Powerpoint, Office …
Criminal access to important devices
Numerous lost, stolen laptops, storage media, containing customer
Some things in information
Second-hand computers (hard drives) pose risk
the news Vint Cerf estimates ¼ of PCs on Internet are bots
26
Malware, worms, and Trojan horses
spread by email, instant messaging, malicious or infected websites
Botnets and zombies
improving their encryption capabilities, more difficult to detect
Scareware – fake/rogue security software
Attacks on client-side software
browsers, media players, PDF readers, etc.
Trends for Ransom attacks
malware encrypts hard drives, or DDOS attack
202x Social network attacks
Users’ trust in online friends makes these networks a prime target.
Cloud Computing - growing use will make this a prime target for
attack.
Web Applications - developed with inadequate security controls
Budget cuts - problem for security personnel and a boon to cyber
criminals.
28
Application
Layer
vulnerabilities
2021
Left: external-facing right: internal-facing
Source: Edgescan.
29
Operating
System
vulnerabilities
30
Percentage of
Attacks Leveraging
Vulnerabilities by
Disclosure Year in
2020
31
Web vs System
vulnerabilities
32
Propagation
Compromised host activity
Network probe and other activity
Recognizable activity on newly infected host
Botnet
Lifecycle
33
Cyber Attack
Categories by
Region – HI
2019 report
34
How big is the
problem?
35
Blog acting as potential target for spamming
Hosted a real blog (dotclear) with a modified TrackBack mechanism
Record TrackBacks
Honeyblog Passive fingerprinting
Experiment Sample the lure site
36
Malware
installation
• TrojanDownloader:Win32/Zlob.gen!dll
• Trojan.Popuper.origin
• Downloader.Zlob.LI
37
Apparent Bayesian poisoning against spam filters:
[title] => Please teacher hentai pics
Trackback [url] =>http://please-teacher-hentai-pics.howdsl.nx.cn/index.html
spam example [excerpt] => pics Please teacher hentai pics ...
[blog_name] =>Please teacher hentai pics
38
International
Victim
Countries 2020
39
Crime Types by
victim counts
2020
40
Crime Types by
victim counts
2020
41
Victims by age
group
42
43
44
45
NEW YORK - Security technology created to protect luxury vehicles may
now make it easier for tech-savy thieves to drive away with them.
In April ‘07, high-tech criminals made international headlines when they
used a laptop and transmitter to open the locks and start the ignition of
an armor-plated BMW X5 belonging to soccer player David Beckham, the
second X5 stolen from him using this technology within six months.
… Beckham's BMW X5s were stolen by thieves who hacked into the codes
for the vehicles' RFID chips …
Steal cars
with a laptop
46
Rise of
Phishing
Attacks in
Financial
Industry
47
4
8
49
Extract and statically analyze binaries
Using jailbreak and iPhoneInterface,
50
Run applications as an unprivileged user
This would result in a successful attacker only gaining the rights of this
unprivileged user.
See http://www.securityevaluators.com/iphone/exploitingiphone.pdf
51
Spam service
Rent-a-bot
Underground Cash-out
economy Pump and dump
Botnet rental
52
Curren Previo
Rank Last Goods and services Prices
t us
1 2 Bank accounts 22% 21% $10-1000
53
Lots of buggy software...
Why do programmers write insecure code?
Awareness is the main issue
54
If you remember only one thing from this course:
55
We discuss vulnerabilities and attacks
Most vulnerabilities have been fixed
Ethical use of Some attacks may still cause harm
security Do not try these at home or anyplace else
Purpose of this class
information Learn to prevent malicious attacks
Use knowledge for good purposes
56
Sean Smith
Melissa virus: 5 years in prison, $150K fine
57
Easy to hide code in large software packages
Difficult Virtually impossible to detect back doors
problem: Skill level needed to hide malicious code is much lower than needed
to find it
insider threat Anyone with access to development environment is capable
58
Hidden trap door in Linux, Nov 2003
Allows attacker to take over a computer
Practically undetectable change
Uncovered by anomaly in CVS usage
Example Inserted line in wait4()
insider attack if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
retval = -EINVAL;
See: http://lwn.net/Articles/57135/
59
Rob Harris case - slot machines
an insider: worked for Gaming Control Board
60
Breeder’s cup race
Upgrade of software to phone betting system
Insider, Christopher Harn, rigged software
Allowed him and accomplices to call in
Example #3 change the bets that were placed
undetectable
Caught when got greedy
won $3 million
http://horseracing.about.com/library/weekly/aa110102a.htm
61
Software is complex
top metric for measuring #of flaws is lines of code
Windows Operating System
Software tens of millions of lines of code
dangers new “critical” security bug announced every week
Unintended security flaws unavoidable
Intentional security flaws undetectable
62
What code can we trust?
Consider "login" or "su" in Unix
Is RedHat binary reliable?
Ken Thompson Does it send your passwd to someone?
Can't trust binary so check source, recompile
Read source code or write your own
Does this solve problem?
63
This is the basis of Thompson's attack
Compiler looks for source code that looks like login program
Compiler If found, insert login backdoor (allow special user to log in)
backdoor How do we solve this?
Inspect the compiler source
64
Change compiler source S
compiler(S) {
if (match(S, "login-pattern")) {
compile (login-backdoor)
return
C compiler is }
written in C
if (match(S, "compiler-pattern")) {
compile (compiler-backdoor)
return
}
.... /* compile as usual */
}
65
Compile this compiler and delete backdoor tests from source
Someone can compile standard compiler source to get new
compiler, then compile login, and get login with backdoor
Clever trick to Simplest approach will only work once
avoid Compiling the compiler twice might lose the backdoor
But can making code for compiler backdoor output itself
detection (Can you write a program that prints itself? Recursion thm)
66
Many attacks don't use computers
Call system administrator
Social Dive in the dumpster
67
Application and OS security (5 lectures)
Buffer overflow project
Vulnerabilities: control hijacking attacks, fuzzing
Prevention: System design, robust coding, isolation
Web security (4 lectures)
Web site attack and defenses project
Browser policies, session mgmt, user authentication
HTTPS and web application security
Network security (6 lectures)
Organization Network traceroute and packet filtering project
Protocol designs, vulnerabilities, prevention
Malware, botnets, DDoS, network security testing
A few other topics
Cryptography (user perspective), digital rights management, final
guest lecture, …
68
Q &A
69