week 1 wednesday n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
CS363 PowerPoint Presentation
Download Presentation
CS363

Loading in 2 Seconds...

play fullscreen
1 / 33

CS363 - PowerPoint PPT Presentation


  • 99 Views
  • Uploaded on

Week 1 - Wednesday. CS363. Last time. What did we talk about last time? Course overview Terminology Threats Vulnerabilities Attacks Controls CIA. Questions?. Security Tidbit: Patch Tuesday!. Yesterday was Patch Tuesday

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'CS363' - adolfo


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
last time
Last time
  • What did we talk about last time?
  • Course overview
  • Terminology
    • Threats
    • Vulnerabilities
    • Attacks
    • Controls
  • CIA
security tidbit patch tuesday
Security Tidbit: Patch Tuesday!
  • Yesterday was Patch Tuesday
    • Microsoft, Oracle, and Adobe put out their patches on the second Tuesday of the month
    • Oracle (Java's owner) only puts them out quarterly
  • Are these patches available for Java 6?
    • No!
    • Unless you have an expensive support license from Oracle
    • And this lab has Java 6!
security tidbit continued
Security tidbit continued
  • Welcome to Exploit Wednesday!
  • Because the patches on Patch Tuesday are often to fix security holes, today is one of the most dangerous days for computer security
    • All the hackers now know exactly what vulnerabilities can be attacked
  • 36 of the fixes will be for Java 7 SE products
    • 34 of these cover remote exploits without authentication
  • Follow the story:
    • http://www.zdnet.com/oracle-to-patch-java-other-products-tuesday-7000025023/
amateurs
Amateurs
  • Most computer criminals are amateurs
  • They commit crimes of opportunity
  • Time-stealing is common
  • Disgruntled or recently fired employees can use their knowledge of a system to attack it
crackers
Crackers
  • You are all hackers by now
  • A malicious hacker is called a cracker
  • A large segment of crackers are high school or college students
  • They often attempt to gain access to other people’s computer systems for the fun or challenge of it
career criminals
Career Criminals
  • Most professional crackers are trained computer scientists who have turned to crime
  • In the early days of hacking and viruses, destroying hardware, software, or data was the goal
  • Professional crackers now look to make money by stealing valuable data
  • There are connections to organized crime
  • Many attacks come from Russia, Asia, and Brazil
terrorists
Terrorists
  • Modern terrorists are often computer savvy
  • Three common forms of terrorist computer usage are:
    • Targets of attack

Denial-of-service and defacement of websites

    • Propaganda vehicles

Websites and e-mail lists used to disseminate information

    • Methods of attack

Using computers to coordinate or initiate other forms of terrorism

methods
Methods
  • There are five common ways of dealing with attacks, many of which can be used together
controls
Controls
  • Many different controls can be used to achieve the five methods of defense
encryption
Encryption
  • Encryption is the scrambling of data
    • Often a key or some other secret information is used to do the scrambling
    • Without knowledge of the secret, the data becomes useless
  • Modern encryption is one of the most powerful tools for preserving computer security
  • Most modern attacks do not depend on breaking encryption but on circumventing it
encryption1
Encryption
  • The process of encryption takes plaintext as an input and produces ciphertext as an output
  • Plaintext (or cleartext) is not necessarily human readable, but its contents are not protected in any way
  • Using cryptography, we can build protocols to support confidentiality and integrity (and even availability indirectly)
  • As useful as it is, encryption is not a panacea
software controls
Software controls
  • Software controls include:
    • Internal program controls
      • Parts of a program that enforce security
      • Example: password checking to access parts of a database
    • OS and network controls
      • Tools to protect users from each other
      • Example: user files that cannot be accessed by other users)
    • Independent control programs
      • Application programs that protect against specific vulnerabilities
      • Example: virus scanners
    • Development controls
      • Quality control for creating software so that vulnerabilities are not introduced
hardware controls
Hardware controls
  • There are many different kinds of hardware controls that can be used for many different situations:
    • Smart cards used for encryption on satellite or cable television set-top boxes
    • Locks and cables preventing theft
    • Fingerprint or other biometric readers
    • Firewalls
    • Many others
policies and procedures
Policies and procedures
  • Human beings ultimately get involved
  • It is important to have policies and procedures to guide their actions, such as:
    • Change passwords regularly
    • Don’t give people your password
    • Don’t allow coworkers access to data they should not have
  • Laws are important policies with consequences, but they react slowly to the rapid changes in technology
physical controls
Physical controls
  • Physical controls can be inexpensive and effective
    • Locks on doors
    • Security guards
    • Backup copies of data
    • Planning for natural disasters and fires
  • Simple controls are often the best
  • Attackers will always look for a weak point in your defenses
effectiveness of controls
Effectiveness of controls
  • Many issues impact the effectiveness of controls
    • Awareness of problem

Users must be convinced that it is worth using the controls

    • Likelihood of use

The controls must be easy enough to use that the task performed is not seriously affected

    • Overlapping controls

Overlapping controls or a layered defense can help, but sometimes the controls negatively impact each other

    • Periodic review

Conditions change, and controls must be reviewed periodically and updated when needed

cryptography1
Cryptography
  • "Secret writing"
  • The art of encoding a message so that its meaning is hidden
  • Cryptanalysis is breaking those codes
encryption and decryption
Encryption and decryption
  • Encryption is the process of taking a message and encoding it
  • Decryption is the process of decoding the code back into a message
  • A plaintext is a message before encryption
  • A ciphertext is the message in encrypted form
  • A key is an extra piece of information used in the encryption process
notation
Notation
  • A plaintext is M (sometimes P)
  • A ciphertext is C
  • The encryption function E(x) takes M and converts it into C
    • E(M) = C
  • The decryption function D(x) takes C and converts it into M
    • D(C) = M
  • We sometimes specify encryption and decryption functions Ek(x) and Dk(x) specific to a key k
attacks
Attacks
  • Cryptography is supposed to prevent people from reading certain messages
  • Thus, we measure a cryptosystem based on its resistance to an adversary or attacker
  • Kinds of attacks:
    • Ciphertext only: Attacker only has access to an encrypted message, with a goal of decrypting it
    • Known plaintext: Attacker has access to a plaintext and its matching ciphertext, with a goal of discovering the key
    • Chosen plaintext: Attacker may ask to encrypt any plaintext, with a goal of discovering the key
    • Others, less common
cryptanalysis
Cryptanalysis
  • There are two kinds of security for encryption schemes
    • Unconditionally secure
      • No matter how much time or energy an attacker has, it is impossible to determine the plaintext
    • Computationally secure
      • The cost of breaking the cipher exceeds the value of the encrypted information
      • The time required to break the cipher exceeds the useful lifetime of the information
  • We focus on computationally secure, because there is only one practical system that is unconditionally secure
  • "I want them to remain secret for as long as men are capable of evil" -Avi from Cryptonomicon
review of modular arithmetic
Review of Modular Arithmetic
  • Modulo operator takes the remainder
  • Two numbers are said to be congruent modulo n if they have the same remainder when divided by n
  • For example,

39  3 (mod 12)

  • Addition, subtraction, and multiplication:
    • [(a mod n) + (b mod n)] mod n = (a + b) mod n
    • [(a mod n) – (b mod n)] mod n = (a – b) mod n
    • [(a mod n) x (b mod n)] mod n = (a x b) mod n
divided and conquered
Divided and Conquered
  • We can’t actually divide
  • Instead, we have to find the multiplicative inverse
  • The multiplicative inverse of x exists if and only if x is relatively prime to n
  • 13 ∙ 5  65  1 (mod 16)
  • So, 13 and 5 are multiplicative inverses mod 16
  • But, 0, 2, 4, 6, 8, 10, and 12 do not have multiplicative inverses mod 16
next time
Next time…
  • Cryptography basics
  • Stream and block ciphers
  • Shift ciphers
reminders
Reminders
  • Read Sections 2.1 and 2.2