More Related Content


Special Topics Day for Engineering Innovation Lecture on Cybersecurity

  1. Cybersecurity Defending our Nation’s Infrastructure in the 21st Century Paul Martin and Michael Rushanan April 15, 2012
  2. Who am I? Background Education Previous Internships Current Research Interests
  3. Who Are You? Survey says… 1.  How many of you own a personal computer? 2.  How many of you own a smartphone (Android, Blackberry, iPhone)? 3.  How many of you play video games? 4.  How many of you have programmed before? 5.  How many of you use [Windows, Mac OS X, Linux]?
  4. Who Are You? Now you’re on the spot… Tell us a little about yourself: •  What are your Interests? •  Have you thought about future goals, and if so – what? •  What do you hope to learn from this?
  5. Background Context
  6. What is a Computer? Can you list some of the computing devices that you use on a daily basis?
  7. What is a Computer? What separates a computer from other electronic/mechanical devices?
  8. What is a Computer? What sorts of computers are researchers concerned with?
  9. What is a Computer? What sorts of computers require security? Trick Question: ALL OF THEM!
  10. What is a Program? Computational processes/algorithms that are purposely built to do something. e.g. Chrome Web Browser •  Where does the browser run? •  Does the browser take input? •  What does the browser output? •  Does your chrome browser notice that iTunes is currently running (ignoring possible extension ideas)?
  11. What is a Program? What are some of the programs that use on a daily basis?
  12. Cybersecurity
  13. What is Cybersecurity? What do you think of when you hear the term “cybersecurity”?
  14. What is Cybersecurity? What have you heard about cybersecurity in the news?
  15. What is Cybersecurity? Why do you think cybersecurity is important? Do you think it’s important?
  16. Computer Security
  17. Computer Security The most annoying thing you will see repeatedly in your life… confidentiality Security Model integrity availability A is also for: authentication, authorization.
  18. Computer Security •  Information security applied to computers •  Controlling who or what has access to certain information and under what conditions they may access or modify this information •  Very broad – some examples: •  Cell phones, game consoles, ebook readers •  Medical records •  Corporate email •  Banking • Two broad areas (that overlap) •  Security •  Privacy
  19. Computer Security Tool Belt •  Hacking/Pen Testing •  Building Secure Systems •  Enforcing Access Control Policies •  All of these overlap with privacy issues, but ignore that for now
  20. Hacking
  21. Hacking The Hacker Manifesto by +++The Mentor+++ Written January 8, 1986 Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"... Damn kids. They're all alike. But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him? I am a hacker, enter my world... Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me... Damn underachiever. They're all alike. you can't stop us all... after all, we're all alike.
  22. Hacking I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head..." Damn kid. Probably copied it. They're all alike. I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass.. Or doesn't like teaching and shouldn't be here... Damn kid. All he does is play games. They're all alike. And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. "This is it... this is where I belong..." I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all... Damn kid. Tying up the phone line again. They're all alike…
  23. Hacking You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert. This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for. I am a hacker, and this is my manifesto. You may stop this individual, but you can’t stop us all…after all, we’re all alike.
  24. Hacking •  What is hacking and what is a hacker? •  What can we hack? •  Is hacking always bad?
  25. WikiLeaks •  Discuss.
  26. Exercise #[1,2]
  27. The Hat System •  Traditionally “hats” are used to refer to hackers affiliation •  White hat = good, black hat = bad •  But is it really so black and white?
  28. Exercise #1 •  In groups of 3-4, take 10-15 minutes to go online and find something interesting that has been hacked. Define: Interesting – Take your interests mentioned earlier, and see if anything has been done in that specific domain! •  Describe to the class: •  What was being protected? •  Was this white or black hat hacking? •  What was hacked? •  How was it hacked (if applicable)? •  What was the result? •  How does this effect society?
  29. Exercise #2 •  Remaining in the same group, we hope you played nice, you will be appointed an interesting hacking topic for 10-15 minutes (the topic is interesting because I say it is). •  Describe to the class •  What was being protected? •  What was hacked? •  How was it hacked (if applicable)? •  What was the result? •  How does this effect society?
  30. How are Things Hacked?
  31. How are Things Hacked? •  What do you think the goal of hacking is?
  32. How are Programs Hacked? •  How do you own a box? •  You hack a program and take it over, gaining it’s privileges. •  You want it to execute instructions that you provide rather than what it’s programmed to do. How do you go about doing this? •  The program execution flow can be modeled by a digraph if that helps. •  (Functions, loops, conditionals). •  This is pretty standard, no matter what you are hacking, though it is not necessarily the only way that things are hacked. •  Do we want examples of how this happens (I won’t be offended if you say no)?
  33. How Do Security Holes Happen? •  Programmer error •  Anywhere input comes from an external source, it needs to be modified to fit specific preconditions. •  This usually doesn’t happen and that’s how computers get hacked.
  34. So We Hacked a Program, Now What? •  To hack a computer you hack a program to gain control of its process •  Then you hack the computer again to run as a superuser with full control over the system. •  This is short circuited if you can just hack a program running as a superuser to begin with. •  These are less common because of this security risk. •  To hack a program you typically see what programs are listening for network connections and you focus your attention here. •  Most (lazy or unpaid) people just run a scanner and determine the program/version running on a server and then look up known security holes in these programs online.
  35. So We Hacked a Program, Now What? •  Nowadays exploits (the way to hack a specific version of a specific program) typically come prepackaged. •  (Almost) every program has unknown vulnerabilities that can be found by experts with time (and money). (especially money)
  36. Privacy
  37. Privacy •  What does it mean for something to be private? •  How private is private?
  38. Privacy Real world application time… In the health domain, privacy is a major concern! For instance, let us imagine that we are a team of developers that have just been contracted by the CDC, Centers for Disease Control and Prevention, to develop a web application specific to the recent outbreak of Share-And-Chew. This new viral outbreak has has been linked to sharing a piece of gum (yes, pre-chewed), and has a wide spread of health complications, including death. The problem with this outbreak, specifically, is that people are generally to embarrassed to seek help and contact those they have shared gum with to seek treatment. The CDC would like us to build an anonymous notification and treatment application to solve this complex social hurdle.
  39. Privacy Design Requirements: 1)  Considering this is a web application, should the site be accessible over HTTP or HTTPS? If the users identity was leaked, how would it make him/her feel? What if you used an anonymous service like this; how would you feel if your identity leaked? 2)  What about a site cookie, why is this a good/bad idea? 3)  We were asked to write geolocation, from derived IP location, to the sites database for population and location spread. What is the implication of gathering such data, and should we also write the IP to the database? 4)  We are also to offer an opt out feature in which someone who received an email can choose not to receive any more. Doing so requires writing the email to the database. Should we hash this email?