CS363Week 1 - Wednesday

Last time

What did we talk about last time? Course overview Terminology

Threats Vulnerabilities Attacks Controls

CIA

Questions?

Security Tidbit: Patch Tuesday! Yesterday was Patch Tuesday

Microsoft, Oracle, and Adobe put out their patches on the second Tuesday of the month

Oracle (Java's owner) only puts them out quarterly

Are these patches available for Java 6? No! Unless you have an expensive support

license from Oracle And this lab has Java 6!

Security tidbit continued

Welcome to Exploit Wednesday! Because the patches on Patch Tuesday are

often to fix security holes, today is one of the most dangerous days for computer security All the hackers now know exactly what

vulnerabilities can be attacked 36 of the fixes will be for Java 7 SE products

34 of these cover remote exploits without authentication

Follow the story: http://www.zdnet.com/oracle-to-patch-java-other-

products-tuesday-7000025023/

Computer Criminals

Amateurs

Most computer criminals are amateurs

They commit crimes of opportunity Time-stealing is common Disgruntled or recently fired

employees can use their knowledge of a system to attack it

Crackers

You are all hackers by now A malicious hacker is called a

cracker A large segment of crackers are high

school or college students They often attempt to gain access to

other people’s computer systems for the fun or challenge of it

Career Criminals

Most professional crackers are trained computer scientists who have turned to crime

In the early days of hacking and viruses, destroying hardware, software, or data was the goal

Professional crackers now look to make money by stealing valuable data

There are connections to organized crime Many attacks come from Russia, Asia, and

Brazil

Terrorists

Modern terrorists are often computer savvy Three common forms of terrorist computer

usage are: Targets of attack

Denial-of-service and defacement of websites Propaganda vehicles

Websites and e-mail lists used to disseminate information

Methods of attackUsing computers to coordinate or initiate other forms of terrorism

Methods of Defense

Methods

There are five common ways of dealing with attacks, many of which can be used together

Prevent• Remove the vulnerability from the system

Deter• Make the attack harder to execute

Deflect• Make another target more attractive (perhaps

a decoy)Detect• Discover that the attack happened,

immediately or later

Recover• Recover from the effects of the attack

Controls

Many different controls can be used to achieve the five methods of defense

Encryption

Encryption is the scrambling of data Often a key or some other secret information

is used to do the scrambling Without knowledge of the secret, the data

becomes useless Modern encryption is one of the most

powerful tools for preserving computer security

Most modern attacks do not depend on breaking encryption but on circumventing it

Encryption

The process of encryption takes plaintext as an input and produces ciphertext as an output

Plaintext (or cleartext) is not necessarily human readable, but its contents are not protected in any way

Using cryptography, we can build protocols to support confidentiality and integrity (and even availability indirectly)

As useful as it is, encryption is not a panacea

Software controls

Software controls include: Internal program controls▪ Parts of a program that enforce security▪ Example: password checking to access parts of a database

OS and network controls▪ Tools to protect users from each other▪ Example: user files that cannot be accessed by other users)

Independent control programs▪ Application programs that protect against specific

vulnerabilities▪ Example: virus scanners

Development controls▪ Quality control for creating software so that vulnerabilities are

not introduced

Hardware controls

There are many different kinds of hardware controls that can be used for many different situations: Smart cards used for encryption on

satellite or cable television set-top boxes Locks and cables preventing theft Fingerprint or other biometric readers Firewalls Many others

Policies and procedures

Human beings ultimately get involved It is important to have policies and

procedures to guide their actions, such as: Change passwords regularly Don’t give people your password Don’t allow coworkers access to data they

should not have Laws are important policies with

consequences, but they react slowly to the rapid changes in technology

Physical controls

Physical controls can be inexpensive and effective Locks on doors Security guards Backup copies of data Planning for natural disasters and fires

Simple controls are often the best Attackers will always look for a weak

point in your defenses

Effectiveness of controls

Many issues impact the effectiveness of controls Awareness of problem

Users must be convinced that it is worth using the controls Likelihood of use

The controls must be easy enough to use that the task performed is not seriously affected

Overlapping controlsOverlapping controls or a layered defense can help, but sometimes the controls negatively impact each other

Periodic reviewConditions change, and controls must be reviewed periodically and updated when needed

Cryptography

Cryptography

"Secret writing" The art of encoding a message so

that its meaning is hiddenCryptanalysis is breaking those

codes

Encryption and decryption

Encryption is the process of taking a message and encoding it

Decryption is the process of decoding the code back into a message

A plaintext is a message before encryption

A ciphertext is the message in encrypted form

A key is an extra piece of information used in the encryption process

Notation

A plaintext is M (sometimes P) A ciphertext is C The encryption function E(x) takes M and

converts it into C E(M) = C

The decryption function D(x) takes C and converts it into M D(C) = M

We sometimes specify encryption and decryption functions Ek(x) and Dk(x) specific to a key k

Attacks

Cryptography is supposed to prevent people from reading certain messages

Thus, we measure a cryptosystem based on its resistance to an adversary or attacker

Kinds of attacks: Ciphertext only: Attacker only has access to an

encrypted message, with a goal of decrypting it Known plaintext: Attacker has access to a plaintext

and its matching ciphertext, with a goal of discovering the key

Chosen plaintext: Attacker may ask to encrypt any plaintext, with a goal of discovering the key

Others, less common

Cryptanalysis

There are two kinds of security for encryption schemes Unconditionally secure▪ No matter how much time or energy an attacker has, it is impossible

to determine the plaintext Computationally secure▪ The cost of breaking the cipher exceeds the value of the encrypted

information▪ The time required to break the cipher exceeds the useful lifetime of

the information We focus on computationally secure, because there is

only one practical system that is unconditionally secure

"I want them to remain secret for as long as men are capable of evil" -Avi from Cryptonomicon

Modular Arithmetic Overview

Review of Modular Arithmetic Modulo operator takes the remainder Two numbers are said to be congruent

modulo n if they have the same remainder when divided by n

For example,39 3 (mod 12)

Addition, subtraction, and multiplication: [(a mod n) + (b mod n)] mod n = (a + b) mod n

[(a mod n) – (b mod n)] mod n = (a – b) mod n [(a mod n) x (b mod n)] mod n = (a x b) mod n

Divided and Conquered

We can’t actually divide Instead, we have to find the

multiplicative inverse The multiplicative inverse of x exists if

and only if x is relatively prime to n 13 ∙ 5 65 1 (mod 16) So, 13 and 5 are multiplicative inverses

mod 16 But, 0, 2, 4, 6, 8, 10, and 12 do not have

multiplicative inverses mod 16

Sign up for Presentations

Upcoming

Next time…

Cryptography basics Stream and block ciphers Shift ciphers

Reminders

Read Sections 2.1 and 2.2