introduction to information securitysecuresw.dankook.ac.kr/iss18-1/iss_2018_02_intro_part2.pdf · -...

Seong-je Cho

Spring 2018

Computer Security & Operating Systems Lab, DKU

Introduction to Software Security

Introduction to Information Security

- 2 -

Sources / References

N. Vlajic, CSE 3482: Introduction to Computer Security, Yorku

Nicholas Weaver, Computer Science 161: Computer Security, Berkeley

Myrto Arapinis, Computer Security: INFRA10067, University of Edinburgh

Please do not duplicate and distribute

Computer Security & OS Lab, DKU

- 3 -

Contents

Data vs. Information

IT, Information System

What is Security?

Information Security, Computer Security, Cyber Security

Network Security, System Security, Software Security

Some Famous Real World Threats/Attacks

Why is Security important?

Threats of Stolen Credit Card Numbers

Who is responsible for Information Security?


- 4 -

Introduction

Computer –general purpose device that can be programmed to carry out a set of arithmetic or logical operations automatically

A computer is an electronic device for storing and processing of data/information

A computer is an electronic machine that accepts data/information, processes it according to specific instructions, and provides the results as new information

Examples

Desktops

Laptops, Tablets

Smartphones

Servers, Routers

Gaming consoles

Industrial controllers …


- 5 -

Data vs. Information


Data Information

• Raw facts• Unorganized• Unprocessed• Chaotic or Unsorted• Input to a Process

• Useful & Relevant• Organized• Processed• Ordered or Sorted• Output of a Process

- 6 -

Information Technology (IT)

Information Technology – technology involving development & use of computer systems & networks for the purpose of processing & distribution of data/information

Categories of IT jobs: IT engineer - develops new or upgrades existing IT equipment (software or

hardware)

IT administrator - installs, maintains, repairs IT equip./system

IT architect - draws up plans for IT systems and how they will be implemented

IT manager - oversees other IT employees, has authority to buy technology and plan budgets

IT security specialist - creates and executes security applications to maintain system security and safety


- 7 -

Information System

Entire set of data, software, hardware, networks, people, procedures and policies that deal with processing & distribution of information in an organization each component has its own strengths, weaknesses, and its own security

requirements


• Information is

‒ stored on computer H/W,

‒ manipulated by S/W,

‒ Transmitted by communication,

‒ used by people

‒ controlled by policies

- 8 -

What is Security?

Security = State of being secure, free from danger (threat/risk/vulnerability)

Security is to enforce a desired property in the presence of an attacker

Data confidentiality

Data and computation integrity

Availability

Authentication (Authenticity)

User privacy (Anonymity)

…

Information Security – practice of defending information from unauthorized

Access (read, write, append)

Use

Recording

Disruption (분열, 혼란, 중단, 붕괴) – DoS (Denial-of-Service)

Destruction (Deletion) – DoS

Modification (Alternation, Tampering)

…Computer Security & OS Lab, DKU

- 9 -

What is Computer Security?

Computer security is the protection of computer systems against adversarial environments allow intended use

prevent unintended use

Computer Security is the protection of computing systems and the data that they store or access

We will try to understand:

why computer systems are insecure

how to build secure systems


- 10 -

Computer Security vs. Information Security

Computer security (aka IT security) is mostly concerned with information in ‘digital form’

Information security is concerned with information in any form it may take: electronic, print, etc.


☞ But, in this class, the two terms are used interchangeably

Why is Security important?

Some famous real world attacks


- 12 -

Why is security important?

Computer Security allows the University to carry out its mission by:

Enabling people to carry out their jobs, education, and research

Supporting critical business processes

Protection personal and sensitive information

It is important for our Physical safety

Confidentiality / Privacy

Functionality

Protecting our assets

Successful business

A country’s economy and safety

and so on …


- 13 -

Real World Threats/Risks/Attacks

Physical safety threats

FBI probe of alleged plane hack sparks worries over flight safety

How a hacker says he took over a

plane’s in-flight entertainment

system

Privacy / Confidentiality

Last September, Yahoo announced that data associated with at least 500 million accounts had been stolen.

Three months later, it disclosed

a second breach affecting more

than one billion accounts.

Last year, Myspace confirmed a breach of user names and passwords for about 360 million accounts.


2017 Data Breaches [Identity Theft Resource Center]

- January 1, 2005 to December 27, 2017 (cumulative totals)

• Number of Breaches = 8,190

• Number of Records Exposed = 1,057,771,011

http://money.cnn.com/2016/09/22/technology/yahoo-data-breach/?iid=EL

http://money.cnn.com/2016/12/14/technology/yahoo-breach-billion-users/index.html?iid=EL

https://www.usatoday.com/story/tech/2016/05/31/360-million-myspace-accounts-breached/85183200/

- 14 -


LinkedIn Lost 167 Million Account Credentials in Data Breach – May 2016

LinkedIn’s 2012 data breach

A hacker stole 6.5 million encrypted passwords from the site and posted them to a Russian

crime forum

a hacker going by the name of “Peace” is trying to sell the emails and passwords of 117 million LinkedIn members on a dark web illegal marketplace for around $2,200, payable in bitcoin.

Powerful worm on Twitter unleashes torrent of out-of-control tweets – June 2014

Twitter on Wednesday was briefly overrun by a powerful computer worm that caused tens of thousands of users to tweet a message that contained self-propagating code exploiting a bug in the TweetDeck app.

Within a few hours, the cross-site scripting (XSS) attack caused at least 84,700 users to retweet a single message originally transmitted by the user @derGeruhn.

The body of the message contained JavaScript commands that caused anyone viewing it in

TweetDeck to automatically retweet it.


https://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised

http://www.nytimes.com/2012/06/11/technology/linkedin-breach-exposes-light-security-even-at-data-companies.html

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

https://twitter.com/derGeruhn/status/476764918763749376

- 15 -


WannaCry ransomware


- 16 -


Can affect a country’s economy


Inside the Prykarpattyaoblenergo control center, which distributes power to the region's residents, operators too were nearing the end of their shift. But just as one worker was organizing papers at his desk that day, the cursor on his computer suddenly skittered across the screen of its own accord.He watched as it navigated purposefully toward buttons controlling the circuit breakers at a substation in the region and then clicked on a box to open the breakers and take the substation offline. A dialogue window popped up on screen asking to confirm the action, and the operator stared dumbfounded as the cursor glided to the box and clicked to affirm. Somewhere in a region outside the city he knew that thousands of residents had just lost their lights and heaters.The operator grabbed his mouse and tried desperately to seize control of the cursor, but it was unresponsive. …

The hackers who struck the power centers in Ukraine—the first confirmed hack to take down a power grid—weren't opportunists who just happened upon the networks and launched an attack to test their abilities

- 17 -


2017 cyberattacks on Ukraine

A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms.

ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%.

the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.

Security experts found that the version of Petya used in the Ukraine cyberattacks had been modified, and subsequently has been named NotPetya or Nyetna to distinguish it from the original malware.

NotPetya encrypted all of the files on the infected computers, not just the Master File Table,

and in some cases the computer's files were completely wiped or rewritten in a manner that

could not be undone through decryption.

Some security experts saw that the software could intercept passwords and perform

administrator-level actions that could further ruin computer files.


https://en.wikipedia.org/wiki/Cyberattack

https://en.wikipedia.org/wiki/Petya_(malware)

https://en.wikipedia.org/wiki/Ukraine

https://en.wikipedia.org/wiki/ESET

https://en.wikipedia.org/wiki/Associated_Press

https://en.wikipedia.org/wiki/Ransomware

- 18 -

And NotPetya …

Someone (attackers) don't like Ukraine...

They compromised the update channel for MeDoc

MeDoc is Ukrainian S/W company

An analyst (Nichols) discovered an alarming vulnerability in the update servers for MeDoc

Think "TurboTax For Business in Ukraine":

One of only two accounting packages which businesses can use to pay taxes

They then monitored for weeks with their backdoor

This gave them a foothold in almost all who have Ukranian business

Then they released a malicious "worm"

A program which self-propagates: spreads from computer to computer in an institution

And then disabled all the infected computers with a fake "ransomware" payload

This cost Maersk shipping alone $100M-300M in lost revenue!

» A.P. Moller-Maersk is the world’s largest container shipping company

Maersk may lose up to $300M due to NotPetya attack


Threats of Stolen Credit Card Numbers


- 20 -

How Do Credit Card Numbers Get Stolen?

Contactless Scenario 1: methods of ‘operation’ by Hacking

malware installed on a corporate server

malware installed on a public computer – data skimmed whenever user logs in their bank number, credit card number, email address, password …

malware installed on a public server – malware downloaded to a client machine at every visit of infected Web-site

Contactless Scenario 2: methods of ‘operation’ by Phishing

malware sent via email as attachment / link

user must be fooled at opening attachment / link and initiating malware installation

phishing = most common ‘attack vector’ in most (corporate) hacks


- 21 -

Where Do Stolen Credit Card Numbers Go ?

Credit Card Brokers

Black market ‘agents’ who buy and re-sell stolen credit card numbers


- 22 -

What is the selling price for stolen credit card numbers?

http://www.theregister.co.uk/2013/07/02/mcafee_cybercrime_exposed/


http://www.theregister.co.uk/2013/07/02/mcafee_cybercrime_exposed/

- 23 -

What else can you find on the black market?

Underground black market: Thriving trade in stolen data, malware, and attack services -- From Symantec Official Blog, Nov. 2015

The expansive underground marketplace

Scans of real passports ($1 to $2), which can be used for identity theft purposes

Stolen gaming accounts ($10 to $15), which can yield valuable virtual items

Custom malware ($12 to $3,500), for example tools for stealing bitcoins by diverting

payments to the attackers

1,000 followers on social networks ($1 to $12)

Stolen cloud accounts ($5 to $8), which can be used for hosting a command-and-control

(C&C) server

Sending spam to 1 million verified email addresses ($70 to $150)

Registered and activated Russian mobile phone SIM card ($100)

https://www.symantec.com/connect/blogs/underground-black-market-thriving-trade-stolen-data-malware-and-attack-services


https://www.symantec.com/connect/blogs/underground-black-market-thriving-trade-stolen-data-malware-and-attack-services

Who is responsible for information security?


- 25 -

What is hackable?

Everything!

Especially things connected to the Internet


- 26 -

Good Security Standards follow the “90 / 10” Rule:

10% of security safeguards are technical

90% of security safeguards rely on the computer user (“YOU”) to adhere to good computing practices


Example: The lock on the door is the 10%.

You remembering to lock the lock, checking to see if the door is closed, ensuring

others do not prop the door open, keeping control of the keys, etc. is the 90%.

You need both parts for effective security.

What Does This Mean for Me? This means that everyone who uses a computer or mobile device needs to

understand how to keep their computer, devices and data secure.

Information Security is everyone’s responsibility

- 27 -

Who is responsible for information security?

“In the last 20 years, technology has permeated every facet

of the business environment. The business place is no longer

static –it moves whenever employees travel from office to

office, from office to home, from city to city. Since business

have become more fluid, …, information security is no longer

the sole responsibility of a small dedicated group of

professionals, …, it is now the responsibility of every employee ….”

The Internet can be a hazardous place.

A compromised computer is a hazard to everyone else, too – not just to you

Question: What can a hacked computer be used for/to?


- 28 -

Importance of Good Passwords

The Real Lessons Of Gawker's Security Mess – Forbes, Dec. 2010

The first thing the Gnosis group does in the synopsis it released of their attack is identify Nick Denton’s (founder of Gawker Media) password, and point out that it is the same password he uses for Gawker’s Google Apps account and on his twitter account @nicknoted. They go on to provide 16 more Gawker staffer’s e-mail addresses, user names, and passwords. The passwords, 15 of which are strings that are either common dictionary words or slight variations thereof and one that is the person’s name and 1, indicate that Gawker has no password composition policy (how long passwords should be, that they should contain letters/numbers/special characters) for employees.

They also determined his password on the campfire team collaboration tool instance used by Gawker (a real time chat utility) and with it extracted 4 gigabytes of Gawker chat logs. From within those chat logs the attackers were able to extract FTP (file transfer protocol) servers, usernames, and credentials for the sites thq.com, valvesoftware, rockstargames, lucasarts, scea, kotaku, and 2kgames.

https://www.forbes.com/sites/firewall/2010/12/13/the-lessons-of-gawkers-security-mess/#6abce5126b5d


https://www.forbes.com/sites/firewall/2010/12/13/the-lessons-of-gawkers-security-mess/#6abce5126b5d

- 29 -

Many cyber security threats are largely avoidable.

Some key steps that everyone can take include

Use good, cryptic passwords that can’t be easily guessed - and keep your passwords secret

Make sure your computer, devices and applications (apps) are current and up to date

Make sure your computer is protected with up-to-date anti-virus and anti-spyware software

Don’t click on unknown or unsolicited links or attachments, and don’t download unknown files or programs onto your computer or other devices

Remember that information and passwords sent via standard, unencrypted wireless are especially easy for hackers to intercept

To help reduce the risk, look for “https” in the URL before you enter any sensitive information or a password (the “s” stands for “secure”)

Also avoid standard, unencrypted email and unencrypted Instant Messaging (IM) if you’re concerned about privacy


- 30 -

What will you try to learn in this class?

How to think adversarially about computer systems

How to assess threats for their significance

How to build programs & systems with robust security properties

If I find out you start a new project in C or C++, or use unescaped SQL, or allow your

web site to support CRSF attacks...

MY SPIRIT WILL REACH THROUGH YOUR MONITOR AND STRANGLE YOU!!!!

How to gauge the protections and limitations provided by today's technology

How attacks work in practice

Code injection, logic errors, browser & web server vulnerabilities,


- 31 -

Summary, Q & A

Definition of

Information

Information System

What is Information Security?

Information security = Computer security

Information security is important for our ……

Keep your Credit Card Number secret.

Everything is hackable.

Everyone is responsible for information security.


introduction to information securitysecuresw.dankook.ac.kr/iss18-1/iss_2018_02_intro_part2.pdf · -...

Documents