Hema Committee Report 556462
Hema Committee Report 556462
3 Introduction.
CANVAS
} Contains links to class website and piazza
} Has information that needs to be password protected
such as your grades
} Will be used for quizes
4 Introduction.
PIAZZA
} Main communication environment where I will post
} announcements
} questions about class, projects, etc
5 Introduction.
How to ask on Piazza
} Read slides, notes, or project description
} Use #hashtags (#lecture2, #project3, #hw1, etc.)
} Describe the problem clearly, using the right terms
} Add code in attached files
} Add output from compiler or debugging information
} Add any other relevant information
} Don’t post publicly solutions on piazza
} Anything that relates to solution post PRIVATELY
6 Introduction.
OFFICE HOURS
} Cristina: TF 3:30 – 4:30 (this is after class), ISEC 626
} Talha: WTh 3:30 pm - 5:00 pm
} Additional availability outside the allocated time if you
have conflicts with the office hours
7 Introduction.
Individual meeting
} It is my policy to individually meet with you at least once
per semester – this is a requirement
} Goal of the meeting is to get to know you and provide
individual advice about the class
} I will update piazza with how to sign up to meet with me
during office hours or outside office hours
} If needed you can set up additional appointments by
sending me a private message on piazza
8 Introduction.
How to stay engaged during lecture and
outside lecture
} Come to lecture, having a structure helps
} Take notes
} Ask questions
} Chat with colleagues
} Make plans with colleagues to work together on projects
} They are individual but you can discuss them
} Ask/answer questions on piazza
} Meet with the Tas
9 Introduction.
Academy integrity
} It is allowed to discuss homework problems before
writing them down; however, WRITING IS INDIVIDUAL
} if you look at another student’s written or typed answers, or
let another student look at your written or typed answers, that
is considered cheating
} It is allowed to discuss your project with your colleagues,
but DO NOT SHARE CODE
} Never have a copy of someone else's homework or
program in your possession and never give your
homework (or password) or program to someone else.
} NO CHEATHING WILL BE TOLERATED
10 Introduction.
Exceptional situations
} Anything that impacts you and class please let me know
} We will accommodate the situation and find a solution
11 Introduction.
Weather/Emergency
} In the event of a major campus emergency, course
requirements, deadlines and grading percentages are
subject to changes that may be necessitated by a revised
semester calendar or other circumstances beyond the
instructor’s control.
12 Introduction.
This is an in-class person
} Slides will be made available immediately before lecture
} No recording will happen in class
} If you have to miss class, read the slides, and I will be
happy to meet with you and address any questions
DO NOT RECORD IN CLASS
} Massachusetts prohibits the recording, interception,
use or disclosure of any conversation, whether in
person or over the telephone, without the
permission of all the parties. The state also prohibits
the recording and disclosure of images intercepted in
violation of its hidden camera laws.
13 Introduction.
Class syllabus
You’ve seen the news
RSA } What do they all have in
Target common?
TJ Maxx } Victims of massive data
Yahoo breaches
Ashley Madison } Every company is now a
Sony Pictures tech company, and every
The Office of Personnel company is now
Management vulnerable
Equifax - Exfiltration of sensitive information
- Loss of intellectual property
The Democratic National - Financial losses
Convention
15 Introduction. 15
The RSA attack 2011
C&C
Backdoor
16 Introduction.
Heartbleed Shellshock Meltdown Spectre
• What are these?
• Software vulnerabilities that enable malicious exploits
• Software is so critical to our way of life that massive security
vulnerabilities now achieve celebrity status
17 Introduction.
Why take this course?
18 Introduction.
Goals
} Fundamental understanding about cybersecurity
} Ability to “think like an attacker” and model threats
} Knowing essential security principles, practices, and tools
} Grappling with ethical, legal, and social issues
} Focus on software and tools
} Not hardware
} Some theoretical foundations
} Classes of attacks and defenses
} Project-centric, hands on experience
} Real projects that build concrete skills
19 Introduction.
Books
} Required reading:
} Ghost in the Wires: My
Adventures as the World's
Most Wanted Hacker by
Kevin Mitnick
} Countdown to Zero Day:
Stuxnet and the Launch of
the World's First Digital
Weapon by Kim Zetter
20 Introduction.
Workload and grading
75%*PP + 25%*QQ
21 Introduction.
Projects
} ~7 projects
} Due at 9 pm on specified days
} Use gradescope to submit your code, documentation, etc.
} There are no extensions or late days
22 Introduction.
Examples of projects
} Linux/command line basics
} GPG key generation and essential cryptography
} Password generation and cracking
} Social engineering (essay assignment)
} Mini-Capture the Flag, exploit development
23 Introduction.
Project 1
} Will be released today, due Tuesday Sept. 20, hard deadline
} We will spend next week making sure that everybody
finishes this project as without it we can not continue
with the other projects
} Get your VM setup and start learning command line Linux
} Project questions?
} Post them on Piazza!
24 Introduction.
Quizzes
} There will be five quizzes throughout the semester
} They will be announced, they are take-home exams, once
you start you have to finish it in about 45 minutes
} You can not retake it
25 Introduction.
Ethics and the law
} We will discuss sensitive topics in this class
} Brazen criminal activity
} Offensive hacking techniques
} The goal is to help you understand the capabilities
and motivations of attackers
} Do not, under any circumstances, use these
skills offensively
} Run exploits on Khoury College machines
} Use scanning or attack tools against public servers or websites
} Infiltrate your roommates computer and spy on them, etc
} Failure to comply may result in expulsion and/or
arrest
26 Introduction.
Your responsibilities
} Please be on time, attend classes, and take notes
} Participate in interactive discussion in class (state your name
when asking a question)
} Submit programming projects on time
27 Introduction.
(Short) History of Cybersecurity
30 Introduction.
Secrecy
} Secrecy has been part of human history
} Military
} Diplomacy
} Cryptography
} “hidden writing”
} hide the meaning of a message
} Steganography
} “covered writing”
} hides the existence of a message
31 Introduction.
Historical cryptography
• First stage, paper and ink based scheme
• Second stage, use cryptographic engines
• Third stage, modern cryptography
32 Introduction.
Modern cryptography
multiparty-computations
zero-knowledge
threshold crypto
electronic auctions
electronic voting
crypto currencies
private info retreival
public-key cryptography
information
theory signature schemes computation in cloud
rigorous definitions ...
post-world war II seventies now
33 Introduction.
Crypto and quantum computing
} Many public-key cryptography algorithms rely their
security on mathematical problems that require significant
computational effort to solve computational and on
assumptions about the computational power of the
attacker
} Quantum computing breaks these assumptions
} Quantum computers will be able to easily solve these
mathematical problems and deem the corresponding
crypto algorithms obsolete
} Example: RSA relies on factoring large numbers
Need different mechanisms to secure communication !
34 Introduction.
Information assurance
} IA is the practice of managing risks related to the use,
processing, storage, and transmission of information
} Desirable properties:
} Confidentiality – secrecy of communication
} Integrity – no unauthorized modifications
} Authenticity – no spoofing or faking
} Non-repudiation – no disclaiming of authorship
} Properties are often achieved (assured) through
cryptography
35 Introduction.
Ancient origins
} 1500 BCE – Encrypted tablets from
Mesopotamia
} 600 BCE – First use of
monoalphabetic substitution ciphers
} 400 BCE – Kama Sutra describes
cyphers for protecting
communications between lovers
} 800 AD – Al-Kindi uses frequency-
analysis to break monoalphabetic
substitution ciphers
36 Introduction. 36
Caesar cipher
37 Introduction.
Polish Cipher Bureau and US Army Signals Intelligence Service
British Bletchley Park – - Genevieve Grotjan
Alan Turing
38 Introduction.
World War II as catalyst
} Ushers in modern
cryptography and
cryptanalysis
} Never again will ad-hoc
cryptography (like Enigma)
be secure
} Spurs the creation of the
first digital computers
} Turing’s Bombe
} Leads to the birth of
computer science
39 Introduction.
Phone phreaking
} The term hacker was introduced in a 1963 MIT student
newspaper article about hacking the telephone system
} Original meaning: somebody who enjoyed exploring, playing
with, or learning about computers
} 1960-1970’s: golden age of phreaking
} Curious nerds who explored the telephone network
40 Introduction.
Changing norms
41 Introduction.
ARPANET
42 Introduction.
WarGames (1983)
43 Introduction.
Towards cybercrime
} 1986 –Marcus Hess breaks into Arpanet
} Breaks into 400 military computers, including mainframes at the Pentagon
} Goal: sell secrets to the KGB
} Caught by a honeypot
} Machine set up to look like a tempting target…
} … but in reality is a trap designed to surveille the intruder
} One of the most effective ways of observing attackers
44 Introduction.
CFAA
} 1986 – Congress passes the Computer Fraud and Abuse
Act
} First major anti-computer crime legislation
} Criminalizes “unauthorized access” to “protected computer
systems”
} Some claim the law was passed in direct response to
WarGames
45 Introduction.
First computer virus
} 1988 – Robert Morris inadvertently releases the first
worm
} Leveraged a bug in sendmail to remotely exploit vulnerable
servers
} Copied itself to the server
} Released as a research experiment
} A bug in Robert’s code caused the program to replicate out of
control
} Crashed 10% of the computers on the ARPANET
} Morris was convicted under the CFAA, 3 years probation
+ $10k fine
} First documented use of a buffer overflow exploit
46 Introduction.
From ARPANET to Internet
} 1993 – NCSA Mosaic is the first web browser
} 1994 – Internet becomes totally privatized
} 1999 – Beginning of the first .com bubble
} 2000 – Broadband internet starts becoming widely
available
49 Introduction.
Reevaluating cybersecurity
} 1983 – The Orange Book
} Developed by NSA, published by
DOD
} Primarily concerned with specifying
security models and access control
} Designed to mitigate insider threats
} Does not consider:
} Vulnerabilities and exploits
} Networked threats
} Social engineering
} Provides levels of certification
} Common Criteria for Information Technology
Security Evaluation, 2005
50 Introduction.
Taking cybersecurity ceriously
} 1987 – McAfee releases first version of VirusScan
} 1995 – Mozilla releases the Secure Socket Layer (SSL)
protocol which later will become TLS
} 2001 – NIST standardizes the Advanced Encryption
Standard (AES)
} 2002 – Bill Gates launches Microsoft’s “Trustworthy
Computing” initiative
• Security, Privacy, Reliability, and Business Integrity
• Watershed moment for secure software development
51 Introduction.
From hacking to organized crime
} Hacking culture throughout the 1990’s and early 2000’s
was driven by the quest for respect
} Virus writers, web hackers, etc. competed to be the most
31337
} Destructive, unethical, and illegal…
} … but still driven by a sense of technological exploration
} By late 2000’s, hacking culture was largely dead
} In its place was organized cybercrime
52 Introduction.
The modern criminal
53 Introduction.
Inklings of cyberwarfare
} 2009 – Chinese hackers from PLA Unit 61398 perform
“Operation Aurora”
} Serious of hacks against US government and industry targets
} Google was targeted
} 2010 – US and Israel attack nuclear centrifuges in Iran with
the Stuxnet worm
} Designed to jump over air-gapped networks
} Causes centrifuges to spin out of control, but report no
anomalies
} To this day, parts of the code are undeciphered
} 2011 - RSA attack, part of an espionage group uncovered by
the Mandiant APT 1 report
} 2014 – “Guardians of Peace” attack Sony Pictures
} Destroy computers, leak confidential files and unreleased movies
} Believed to be North Korean hackers
54 Introduction.
Self-Propagating ransomware
WannaCry
ransomware
• 200K infected
machines
• 150 countries
• May 12- May 15,
2017
55
55 Introduction.
Present and future?
} Automated attacks carried out by adversarial AIs
} Remote and deadly hacks of robots and autonomous cars
} Cryptocurrency anarchy
} Widespread social engineering via targeted propaganda
} Actual warfare in cyberspace
} Complete loss of individual privacy
56 Introduction.
Class topics
Topics
} Cryptography
} Passwords and authentication
} Ethics
} Systems security
} Web security
} Internet security
} Wireless security
} Privacy: anonymous communication, data privacy
58 Introduction.