Special Topics Day for Engineering Innovation Lecture on Cybersecurity
This particular presentation covers, at a high level, our national cybersecurity initiative. The content targets prospective high school students and delves into areas of computer science, information systems, and policy.
Special Topics Day for Engineering Innovation Lecture on Cybersecurity
CybersecurityDefending our Nation’s Infrastructure in the 21stCenturyPaul Martin and Michael RushananApril 15, 2012
Who am I?BackgroundEducationPrevious InternshipsCurrent ResearchInterests
Who Are You? Survey says… 1. How many of you own a personal computer? 2. How many of you own a smartphone (Android, Blackberry, iPhone)? 3. How many of you play video games? 4. How many of you have programmed before? 5. How many of you use [Windows, Mac OS X, Linux]?
Who Are You?Now you’re on the spot…Tell us a little about yourself: • What are your Interests? • Have you thought about future goals, and if so – what? • What do you hope to learn from this?
What is a Computer?Can you list some of the computing devices that you use on a daily basis?
What is a Computer?What separates a computer from other electronic/mechanical devices?
What is a Computer?What sorts of computers are researchers concerned with?
What is a Computer?What sorts of computers require security?Trick Question: ALL OF THEM!
What is a Program?Computational processes/algorithms that are purposely built to do something. e.g. Chrome Web Browser • Where does the browser run? • Does the browser take input? • What does the browser output? • Does your chrome browser notice that iTunes is currently running (ignoring possible extension ideas)?
What is a Program?What are some of the programs that use on a daily basis?
Computer SecurityThe most annoying thing you will see repeatedly in your life… confidentiality Security Model integrity availability A is also for: authentication, authorization.
Computer Security• Information security applied to computers • Controlling who or what has access to certain information and under what conditions they may access or modify this information • Very broad – some examples: • Cell phones, game consoles, ebook readers • Medical records • Corporate email • Banking• Two broad areas (that overlap) • Security • Privacy
Computer Security Tool Belt• Hacking/Pen Testing• Building Secure Systems• Enforcing Access Control Policies• All of these overlap with privacy issues, but ignore that for now
HackingThe Hacker Manifestoby+++The Mentor+++Written January 8, 1986Another one got caught today, its all over the papers. "Teenager Arrested in Computer Crime Scandal","Hacker Arrested after Bank Tampering"...Damn kids. Theyre all alike.But did you, in your three-piece psychology and 1950s technobrain, ever take a look behind the eyes ofthe hacker? Did you ever wonder what made him tick, what forces shaped him, what may have moldedhim?I am a hacker, enter my world...Mine is a world that begins with school... Im smarter than most of the other kids, this crap they teach usbores me...Damn underachiever. Theyre all alike.you cant stop us all... after all, were all alike.
HackingIm in junior high or high school. Ive listened to teachers explain for the fifteenth time how to reduce afraction. I understand it. "No, Ms. Smith, I didnt show my work. I did it in my head..."Damn kid. Probably copied it. Theyre all alike.I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makesa mistake, its because I screwed it up. Not because it doesnt like me... Or feels threatened by me.. Orthinks Im a smart ass.. Or doesnt like teaching and shouldnt be here...Damn kid. All he does is play games. Theyre all alike.And then it happened... a door opened to a world... rushing through the phone line like heroin through anaddicts veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... aboard is found. "This is it... this is where I belong..." I know everyone here... even if Ive never met them,never talked to them, may never hear from them again... I know you all...Damn kid. Tying up the phone line again. Theyre all alike…
HackingYou bet your ass were all alike... weve been spoon-fed baby food at school when we hungered for steak...the bits of meat that you did let slip through were pre-chewed and tasteless. Weve been dominated bysadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but thosefew are like drops of water in the desert.This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of aservice already existing without paying for what could be dirt-cheap if it wasnt run by profiteering gluttons,and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you callus criminals. We exist without skin color, without nationality, without religious bias... and you call uscriminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make usbelieve its for our own good, yet were the criminals.Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say andthink, not what they look like. My crime is that of outsmarting you, something that you will never forgive mefor.I am a hacker, and this is my manifesto. You may stop this individual, but you can’t stop us all…after all,we’re all alike.
Hacking• What is hacking and what is a hacker?• What can we hack?• Is hacking always bad?
The Hat System• Traditionally “hats” are used to refer to hackers affiliation• White hat = good, black hat = bad• But is it really so black and white?
Exercise #1• In groups of 3-4, take 10-15 minutes to go online and find somethinginteresting that has been hacked.Define: Interesting – Take your interests mentioned earlier, and see if anything has beendone in that specific domain!• Describe to the class: • What was being protected? • Was this white or black hat hacking? • What was hacked? • How was it hacked (if applicable)? • What was the result? • How does this effect society?
Exercise #2• Remaining in the same group, we hope you played nice, you will be appointedan interesting hacking topic for 10-15 minutes (the topic is interesting because I sayit is).• Describe to the class • What was being protected? • What was hacked? • How was it hacked (if applicable)? • What was the result? • How does this effect society?
How are Things Hacked?• What do you think the goal of hacking is?
How are Programs Hacked?• How do you own a box? • You hack a program and take it over, gaining it’s privileges.• You want it to execute instructions that you provide rather than what it’sprogrammed to do. How do you go about doing this? • The program execution flow can be modeled by a digraph if that helps. • (Functions, loops, conditionals).• This is pretty standard, no matter what you are hacking, though it is notnecessarily the only way that things are hacked.• Do we want examples of how this happens (I won’t be offended if you say no)?
How Do Security Holes Happen?• Programmer error • Anywhere input comes from an external source, it needs to be modified to fit specific preconditions. • This usually doesn’t happen and that’s how computers get hacked.
So We Hacked a Program, Now What?• To hack a computer you hack a program to gain control of its process • Then you hack the computer again to run as a superuser with full control over the system. • This is short circuited if you can just hack a program running as a superuser to begin with. • These are less common because of this security risk. • To hack a program you typically see what programs are listening for network connections and you focus your attention here. • Most (lazy or unpaid) people just run a scanner and determine the program/version running on a server and then look up known security holes in these programs online.
So We Hacked a Program, Now What?• Nowadays exploits (the way to hack a specific version of a specific program)typically come prepackaged.• (Almost) every program has unknown vulnerabilities that can be found byexperts with time (and money).(especially money)
Privacy• What does it mean for something to be private?• How private is private?
PrivacyReal world application time…In the health domain, privacy is a major concern! For instance, let us imagine that we area team of developers that have just been contracted by the CDC, Centers for DiseaseControl and Prevention, to develop a web application specific to the recent outbreak ofShare-And-Chew. This new viral outbreak has has been linked to sharing a piece of gum(yes, pre-chewed), and has a wide spread of health complications, including death. Theproblem with this outbreak, specifically, is that people are generally to embarrassed toseek help and contact those they have shared gum with to seek treatment. The CDCwould like us to build an anonymous notification and treatment application to solve thiscomplex social hurdle.
PrivacyDesign Requirements:1) Considering this is a web application, should the site be accessible over HTTP or HTTPS? If the users identity was leaked, how would it make him/her feel? What if you used an anonymous service like this; how would you feel if your identity leaked?2) What about a site cookie, why is this a good/bad idea?3) We were asked to write geolocation, from derived IP location, to the sites database for population and location spread. What is the implication of gathering such data, and should we also write the IP to the database?4) We are also to offer an opt out feature in which someone who received an email can choose not to receive any more. Doing so requires writing the email to the database. Should we hash this email?