introduction to information securitysecuresw.dankook.ac.kr/iss18-1/iss_2018_02_intro_part2.pdf · -...
TRANSCRIPT
Seong-je Cho
Spring 2018
Computer Security & Operating Systems Lab, DKU
Introduction to Software Security
Introduction to Information Security
- 2 -
Sources / References
N. Vlajic, CSE 3482: Introduction to Computer Security, Yorku
Nicholas Weaver, Computer Science 161: Computer Security, Berkeley
Myrto Arapinis, Computer Security: INFRA10067, University of Edinburgh
Please do not duplicate and distribute
Computer Security & OS Lab, DKU
- 3 -
Contents
Data vs. Information
IT, Information System
What is Security?
Information Security, Computer Security, Cyber Security
Network Security, System Security, Software Security
Some Famous Real World Threats/Attacks
Why is Security important?
Threats of Stolen Credit Card Numbers
Who is responsible for Information Security?
Computer Security & OS Lab, DKU
- 4 -
Introduction
Computer –general purpose device that can be programmed to carry out a set of arithmetic or logical operations automatically
A computer is an electronic device for storing and processing of data/information
A computer is an electronic machine that accepts data/information, processes it according to specific instructions, and provides the results as new information
Examples
Desktops
Laptops, Tablets
Smartphones
Servers, Routers
Gaming consoles
Industrial controllers …
Computer Security & OS Lab, DKU
- 5 -
Data vs. Information
Computer Security & OS Lab, DKU
Data Information
• Raw facts• Unorganized• Unprocessed• Chaotic or Unsorted• Input to a Process
• Useful & Relevant• Organized• Processed• Ordered or Sorted• Output of a Process
- 6 -
Information Technology (IT)
Information Technology – technology involving development & use of computer systems & networks for the purpose of processing & distribution of data/information
Categories of IT jobs: IT engineer - develops new or upgrades existing IT equipment (software or
hardware)
IT administrator - installs, maintains, repairs IT equip./system
IT architect - draws up plans for IT systems and how they will be implemented
IT manager - oversees other IT employees, has authority to buy technology and plan budgets
IT security specialist - creates and executes security applications to maintain system security and safety
Computer Security & OS Lab, DKU
- 7 -
Information System
Entire set of data, software, hardware, networks, people, procedures and policies that deal with processing & distribution of information in an organization each component has its own strengths, weaknesses, and its own security
requirements
Computer Security & OS Lab, DKU
• Information is
‒ stored on computer H/W,
‒ manipulated by S/W,
‒ Transmitted by communication,
‒ used by people
‒ controlled by policies
- 8 -
What is Security?
Security = State of being secure, free from danger (threat/risk/vulnerability)
Security is to enforce a desired property in the presence of an attacker
Data confidentiality
Data and computation integrity
Availability
Authentication (Authenticity)
User privacy (Anonymity)
…
Information Security – practice of defending information from unauthorized
Access (read, write, append)
Use
Recording
Disruption (분열, 혼란, 중단, 붕괴) – DoS (Denial-of-Service)
Destruction (Deletion) – DoS
Modification (Alternation, Tampering)
…Computer Security & OS Lab, DKU
- 9 -
What is Computer Security?
Computer security is the protection of computer systems against adversarial environments allow intended use
prevent unintended use
Computer Security is the protection of computing systems and the data that they store or access
We will try to understand:
why computer systems are insecure
how to build secure systems
Computer Security & OS Lab, DKU
- 10 -
Computer Security vs. Information Security
Computer security (aka IT security) is mostly concerned with information in ‘digital form’
Information security is concerned with information in any form it may take: electronic, print, etc.
Computer Security & OS Lab, DKU
☞ But, in this class, the two terms are used interchangeably
Why is Security important?
Some famous real world attacks
Computer Security & OS Lab, DKU
- 12 -
Why is security important?
Computer Security allows the University to carry out its mission by:
Enabling people to carry out their jobs, education, and research
Supporting critical business processes
Protection personal and sensitive information
It is important for our Physical safety
Confidentiality / Privacy
Functionality
Protecting our assets
Successful business
A country’s economy and safety
and so on …
Computer Security & OS Lab, DKU
- 13 -
Real World Threats/Risks/Attacks
Physical safety threats
FBI probe of alleged plane hack sparks worries over flight safety
How a hacker says he took over a
plane’s in-flight entertainment
system
Privacy / Confidentiality
Last September, Yahoo announced that data associated with at least 500 million accounts had been stolen.
Three months later, it disclosed
a second breach affecting more
than one billion accounts.
Last year, Myspace confirmed a breach of user names and passwords for about 360 million accounts.
Computer Security & OS Lab, DKU
2017 Data Breaches [Identity Theft Resource Center]
- January 1, 2005 to December 27, 2017 (cumulative totals)
• Number of Breaches = 8,190
• Number of Records Exposed = 1,057,771,011
- 14 -
Real World Threats/Risks/Attacks
LinkedIn Lost 167 Million Account Credentials in Data Breach – May 2016
LinkedIn’s 2012 data breach
A hacker stole 6.5 million encrypted passwords from the site and posted them to a Russian
crime forum
a hacker going by the name of “Peace” is trying to sell the emails and passwords of 117 million LinkedIn members on a dark web illegal marketplace for around $2,200, payable in bitcoin.
Powerful worm on Twitter unleashes torrent of out-of-control tweets – June 2014
Twitter on Wednesday was briefly overrun by a powerful computer worm that caused tens of thousands of users to tweet a message that contained self-propagating code exploiting a bug in the TweetDeck app.
Within a few hours, the cross-site scripting (XSS) attack caused at least 84,700 users to retweet a single message originally transmitted by the user @derGeruhn.
The body of the message contained JavaScript commands that caused anyone viewing it in
TweetDeck to automatically retweet it.
Computer Security & OS Lab, DKU
- 15 -
Real World Threats/Risks/Attacks
WannaCry ransomware
Computer Security & OS Lab, DKU
- 16 -
Real World Threats/Risks/Attacks
Can affect a country’s economy
Computer Security & OS Lab, DKU
Inside the Prykarpattyaoblenergo control center, which distributes power to the region's residents, operators too were nearing the end of their shift. But just as one worker was organizing papers at his desk that day, the cursor on his computer suddenly skittered across the screen of its own accord.He watched as it navigated purposefully toward buttons controlling the circuit breakers at a substation in the region and then clicked on a box to open the breakers and take the substation offline. A dialogue window popped up on screen asking to confirm the action, and the operator stared dumbfounded as the cursor glided to the box and clicked to affirm. Somewhere in a region outside the city he knew that thousands of residents had just lost their lights and heaters.The operator grabbed his mouse and tried desperately to seize control of the cursor, but it was unresponsive. …
The hackers who struck the power centers in Ukraine—the first confirmed hack to take down a power grid—weren't opportunists who just happened upon the networks and launched an attack to test their abilities
- 17 -
Real World Threats/Risks/Attacks
2017 cyberattacks on Ukraine
A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms.
ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%.
the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.
Security experts found that the version of Petya used in the Ukraine cyberattacks had been modified, and subsequently has been named NotPetya or Nyetna to distinguish it from the original malware.
NotPetya encrypted all of the files on the infected computers, not just the Master File Table,
and in some cases the computer's files were completely wiped or rewritten in a manner that
could not be undone through decryption.
Some security experts saw that the software could intercept passwords and perform
administrator-level actions that could further ruin computer files.
Computer Security & OS Lab, DKU
- 18 -
And NotPetya …
Someone (attackers) don't like Ukraine...
They compromised the update channel for MeDoc
MeDoc is Ukrainian S/W company
An analyst (Nichols) discovered an alarming vulnerability in the update servers for MeDoc
Think "TurboTax For Business in Ukraine":
One of only two accounting packages which businesses can use to pay taxes
They then monitored for weeks with their backdoor
This gave them a foothold in almost all who have Ukranian business
Then they released a malicious "worm"
A program which self-propagates: spreads from computer to computer in an institution
And then disabled all the infected computers with a fake "ransomware" payload
This cost Maersk shipping alone $100M-300M in lost revenue!
» A.P. Moller-Maersk is the world’s largest container shipping company
Maersk may lose up to $300M due to NotPetya attack
Computer Security & OS Lab, DKU
Threats of Stolen Credit Card Numbers
Computer Security & OS Lab, DKU
- 20 -
How Do Credit Card Numbers Get Stolen?
Contactless Scenario 1: methods of ‘operation’ by Hacking
malware installed on a corporate server
malware installed on a public computer – data skimmed whenever user logs in their bank number, credit card number, email address, password …
malware installed on a public server – malware downloaded to a client machine at every visit of infected Web-site
Contactless Scenario 2: methods of ‘operation’ by Phishing
malware sent via email as attachment / link
user must be fooled at opening attachment / link and initiating malware installation
phishing = most common ‘attack vector’ in most (corporate) hacks
Computer Security & OS Lab, DKU
- 21 -
Where Do Stolen Credit Card Numbers Go ?
Credit Card Brokers
Black market ‘agents’ who buy and re-sell stolen credit card numbers
Computer Security & OS Lab, DKU
- 22 -
What is the selling price for stolen credit card numbers?
http://www.theregister.co.uk/2013/07/02/mcafee_cybercrime_exposed/
Computer Security & OS Lab, DKU
- 23 -
What else can you find on the black market?
Underground black market: Thriving trade in stolen data, malware, and attack services -- From Symantec Official Blog, Nov. 2015
The expansive underground marketplace
Scans of real passports ($1 to $2), which can be used for identity theft purposes
Stolen gaming accounts ($10 to $15), which can yield valuable virtual items
Custom malware ($12 to $3,500), for example tools for stealing bitcoins by diverting
payments to the attackers
1,000 followers on social networks ($1 to $12)
Stolen cloud accounts ($5 to $8), which can be used for hosting a command-and-control
(C&C) server
Sending spam to 1 million verified email addresses ($70 to $150)
Registered and activated Russian mobile phone SIM card ($100)
https://www.symantec.com/connect/blogs/underground-black-market-thriving-trade-stolen-data-malware-and-attack-services
Computer Security & OS Lab, DKU
Who is responsible for information security?
Computer Security & OS Lab, DKU
- 25 -
What is hackable?
Everything!
Especially things connected to the Internet
Computer Security & OS Lab, DKU
- 26 -
Good Security Standards follow the “90 / 10” Rule:
10% of security safeguards are technical
90% of security safeguards rely on the computer user (“YOU”) to adhere to good computing practices
Computer Security & OS Lab, DKU
Example: The lock on the door is the 10%.
You remembering to lock the lock, checking to see if the door is closed, ensuring
others do not prop the door open, keeping control of the keys, etc. is the 90%.
You need both parts for effective security.
What Does This Mean for Me? This means that everyone who uses a computer or mobile device needs to
understand how to keep their computer, devices and data secure.
Information Security is everyone’s responsibility
- 27 -
Who is responsible for information security?
“In the last 20 years, technology has permeated every facet
of the business environment. The business place is no longer
static –it moves whenever employees travel from office to
office, from office to home, from city to city. Since business
have become more fluid, …, information security is no longer
the sole responsibility of a small dedicated group of
professionals, …, it is now the responsibility of every employee ….”
The Internet can be a hazardous place.
A compromised computer is a hazard to everyone else, too – not just to you
Question: What can a hacked computer be used for/to?
Computer Security & OS Lab, DKU
- 28 -
Importance of Good Passwords
The Real Lessons Of Gawker's Security Mess – Forbes, Dec. 2010
The first thing the Gnosis group does in the synopsis it released of their attack is identify Nick Denton’s (founder of Gawker Media) password, and point out that it is the same password he uses for Gawker’s Google Apps account and on his twitter account @nicknoted. They go on to provide 16 more Gawker staffer’s e-mail addresses, user names, and passwords. The passwords, 15 of which are strings that are either common dictionary words or slight variations thereof and one that is the person’s name and 1, indicate that Gawker has no password composition policy (how long passwords should be, that they should contain letters/numbers/special characters) for employees.
They also determined his password on the campfire team collaboration tool instance used by Gawker (a real time chat utility) and with it extracted 4 gigabytes of Gawker chat logs. From within those chat logs the attackers were able to extract FTP (file transfer protocol) servers, usernames, and credentials for the sites thq.com, valvesoftware, rockstargames, lucasarts, scea, kotaku, and 2kgames.
https://www.forbes.com/sites/firewall/2010/12/13/the-lessons-of-gawkers-security-mess/#6abce5126b5d
Computer Security & OS Lab, DKU
- 29 -
Many cyber security threats are largely avoidable.
Some key steps that everyone can take include
Use good, cryptic passwords that can’t be easily guessed - and keep your passwords secret
Make sure your computer, devices and applications (apps) are current and up to date
Make sure your computer is protected with up-to-date anti-virus and anti-spyware software
Don’t click on unknown or unsolicited links or attachments, and don’t download unknown files or programs onto your computer or other devices
Remember that information and passwords sent via standard, unencrypted wireless are especially easy for hackers to intercept
To help reduce the risk, look for “https” in the URL before you enter any sensitive information or a password (the “s” stands for “secure”)
Also avoid standard, unencrypted email and unencrypted Instant Messaging (IM) if you’re concerned about privacy
Computer Security & OS Lab, DKU
- 30 -
What will you try to learn in this class?
How to think adversarially about computer systems
How to assess threats for their significance
How to build programs & systems with robust security properties
If I find out you start a new project in C or C++, or use unescaped SQL, or allow your
web site to support CRSF attacks...
MY SPIRIT WILL REACH THROUGH YOUR MONITOR AND STRANGLE YOU!!!!
How to gauge the protections and limitations provided by today's technology
How attacks work in practice
Code injection, logic errors, browser & web server vulnerabilities,
Computer Security & OS Lab, DKU
- 31 -
Summary, Q & A
Definition of
Information
Information System
What is Information Security?
Information security = Computer security
Information security is important for our ……
Keep your Credit Card Number secret.
Everything is hackable.
Everyone is responsible for information security.
Computer Security & OS Lab, DKU