SlideShare ist ein Scribd-Unternehmen logo

Special Topics Day for Engineering Innovation Lecture on Cybersecurity

Michael Rushanan
Michael Rushanan

This particular presentation covers, at a high level, our national cybersecurity initiative. The content targets prospective high school students and delves into areas of computer science, information systems, and policy.

Bildung
1 von 39
Cybersecurity Defending our Nation’s Infrastructure in the 21st Century Paul Martin and Michael Rushanan April 15, 2012
Who am I? Background Education Previous Internships Current Research Interests
Who Are You? Survey says… 1.  How many of you own a personal computer? 2.  How many of you own a smartphone (Android, Blackberry, iPhone)? 3.  How many of you play video games? 4.  How many of you have programmed before? 5.  How many of you use [Windows, Mac OS X, Linux]?
Who Are You? Now you’re on the spot… Tell us a little about yourself: •  What are your Interests? •  Have you thought about future goals, and if so – what? •  What do you hope to learn from this?
Background Context
What is a Computer? Can you list some of the computing devices that you use on a daily basis?
What is a Computer? What separates a computer from other electronic/mechanical devices?
What is a Computer? What sorts of computers are researchers concerned with?
What is a Computer? What sorts of computers require security? Trick Question: ALL OF THEM!
What is a Program? Computational processes/algorithms that are purposely built to do something. e.g. Chrome Web Browser •  Where does the browser run? •  Does the browser take input? •  What does the browser output? •  Does your chrome browser notice that iTunes is currently running (ignoring possible extension ideas)?
What is a Program? What are some of the programs that use on a daily basis?
Cybersecurity
What is Cybersecurity? What do you think of when you hear the term “cybersecurity”?
What is Cybersecurity? What have you heard about cybersecurity in the news?
What is Cybersecurity? Why do you think cybersecurity is important? Do you think it’s important?
Computer Security
Computer Security The most annoying thing you will see repeatedly in your life… confidentiality Security Model integrity availability A is also for: authentication, authorization.
Computer Security •  Information security applied to computers •  Controlling who or what has access to certain information and under what conditions they may access or modify this information •  Very broad – some examples: •  Cell phones, game consoles, ebook readers •  Medical records •  Corporate email •  Banking • Two broad areas (that overlap) •  Security •  Privacy
Computer Security Tool Belt •  Hacking/Pen Testing •  Building Secure Systems •  Enforcing Access Control Policies •  All of these overlap with privacy issues, but ignore that for now
Hacking
Hacking The Hacker Manifesto by +++The Mentor+++ Written January 8, 1986 Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"... Damn kids. They're all alike. But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him? I am a hacker, enter my world... Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me... Damn underachiever. They're all alike. you can't stop us all... after all, we're all alike.
Hacking I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head..." Damn kid. Probably copied it. They're all alike. I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass.. Or doesn't like teaching and shouldn't be here... Damn kid. All he does is play games. They're all alike. And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. "This is it... this is where I belong..." I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all... Damn kid. Tying up the phone line again. They're all alike…
Hacking You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert. This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for. I am a hacker, and this is my manifesto. You may stop this individual, but you can’t stop us all…after all, we’re all alike.
Hacking •  What is hacking and what is a hacker? •  What can we hack? •  Is hacking always bad?
WikiLeaks •  Discuss.
Exercise #[1,2]
The Hat System •  Traditionally “hats” are used to refer to hackers affiliation •  White hat = good, black hat = bad •  But is it really so black and white?
Exercise #1 •  In groups of 3-4, take 10-15 minutes to go online and find something interesting that has been hacked. Define: Interesting – Take your interests mentioned earlier, and see if anything has been done in that specific domain! •  Describe to the class: •  What was being protected? •  Was this white or black hat hacking? •  What was hacked? •  How was it hacked (if applicable)? •  What was the result? •  How does this effect society?
Exercise #2 •  Remaining in the same group, we hope you played nice, you will be appointed an interesting hacking topic for 10-15 minutes (the topic is interesting because I say it is). •  Describe to the class •  What was being protected? •  What was hacked? •  How was it hacked (if applicable)? •  What was the result? •  How does this effect society?
How are Things Hacked?
How are Things Hacked? •  What do you think the goal of hacking is?
How are Programs Hacked? •  How do you own a box? •  You hack a program and take it over, gaining it’s privileges. •  You want it to execute instructions that you provide rather than what it’s programmed to do. How do you go about doing this? •  The program execution flow can be modeled by a digraph if that helps. •  (Functions, loops, conditionals). •  This is pretty standard, no matter what you are hacking, though it is not necessarily the only way that things are hacked. •  Do we want examples of how this happens (I won’t be offended if you say no)?
How Do Security Holes Happen? •  Programmer error •  Anywhere input comes from an external source, it needs to be modified to fit specific preconditions. •  This usually doesn’t happen and that’s how computers get hacked.
So We Hacked a Program, Now What? •  To hack a computer you hack a program to gain control of its process •  Then you hack the computer again to run as a superuser with full control over the system. •  This is short circuited if you can just hack a program running as a superuser to begin with. •  These are less common because of this security risk. •  To hack a program you typically see what programs are listening for network connections and you focus your attention here. •  Most (lazy or unpaid) people just run a scanner and determine the program/version running on a server and then look up known security holes in these programs online.
So We Hacked a Program, Now What? •  Nowadays exploits (the way to hack a specific version of a specific program) typically come prepackaged. •  (Almost) every program has unknown vulnerabilities that can be found by experts with time (and money). (especially money)
Privacy
Privacy •  What does it mean for something to be private? •  How private is private?
Privacy Real world application time… In the health domain, privacy is a major concern! For instance, let us imagine that we are a team of developers that have just been contracted by the CDC, Centers for Disease Control and Prevention, to develop a web application specific to the recent outbreak of Share-And-Chew. This new viral outbreak has has been linked to sharing a piece of gum (yes, pre-chewed), and has a wide spread of health complications, including death. The problem with this outbreak, specifically, is that people are generally to embarrassed to seek help and contact those they have shared gum with to seek treatment. The CDC would like us to build an anonymous notification and treatment application to solve this complex social hurdle.
Privacy Design Requirements: 1)  Considering this is a web application, should the site be accessible over HTTP or HTTPS? If the users identity was leaked, how would it make him/her feel? What if you used an anonymous service like this; how would you feel if your identity leaked? 2)  What about a site cookie, why is this a good/bad idea? 3)  We were asked to write geolocation, from derived IP location, to the sites database for population and location spread. What is the implication of gathering such data, and should we also write the IP to the database? 4)  We are also to offer an opt out feature in which someone who received an email can choose not to receive any more. Doing so requires writing the email to the database. Should we hash this email?

Empfohlen

Hackers contemplations
Hackers contemplationsHackers contemplations
Hackers contemplations
Chris Roberts
 
Gunning for granny
Gunning for grannyGunning for granny
Gunning for granny
Chris Roberts
 
Voting Systems - ISSA Chicago Presentation 2020
Voting Systems - ISSA Chicago Presentation 2020Voting Systems - ISSA Chicago Presentation 2020
Voting Systems - ISSA Chicago Presentation 2020
Chris Roberts
 
I hack you hack we all hack
I hack you hack we all hackI hack you hack we all hack
I hack you hack we all hack
KaraMichelleHarkins
 
Currentissuenotes
CurrentissuenotesCurrentissuenotes
Currentissuenotes
herri2mj
 
Social engineering
Social engineeringSocial engineering
Social engineering
Robert Hood
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Harshit Upadhyay
 
Ethical Hacking
Ethical Hacking Ethical Hacking
Ethical Hacking
Harshit Upadhyay
 

Empfohlen

Hackers contemplations
Hackers contemplationsHackers contemplations
Hackers contemplations
Chris Roberts
 
Gunning for granny
Gunning for grannyGunning for granny
Gunning for granny
Chris Roberts
 
Voting Systems - ISSA Chicago Presentation 2020
Voting Systems - ISSA Chicago Presentation 2020Voting Systems - ISSA Chicago Presentation 2020
Voting Systems - ISSA Chicago Presentation 2020
Chris Roberts
 
I hack you hack we all hack
I hack you hack we all hackI hack you hack we all hack
I hack you hack we all hack
KaraMichelleHarkins
 
Currentissuenotes
CurrentissuenotesCurrentissuenotes
Currentissuenotes
herri2mj
 
Social engineering
Social engineeringSocial engineering
Social engineering
Robert Hood
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Harshit Upadhyay
 
Ethical Hacking
Ethical Hacking Ethical Hacking
Ethical Hacking
Harshit Upadhyay
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
Vibrant Event
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
Vibrant Event
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer SecurityEthical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
Vibrant Technologies & Computers
 
Information security Presentation
Information security Presentation Information security Presentation
Information security Presentation
dhirujapla
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries
Blake Carver
 
Corp Web Risks and Concerns
Corp Web Risks and ConcernsCorp Web Risks and Concerns
Corp Web Risks and Concerns
PINT Inc
 
5G and the Invisible Interface
5G and the Invisible Interface5G and the Invisible Interface
5G and the Invisible Interface
Experience UX
 
Information security consciousness
Information security consciousnessInformation security consciousness
Information security consciousness
Ciarán Mc Mahon
 
hacking
hackinghacking
hacking
mayank1293
 
Computer Security
Computer SecurityComputer Security
Computer Security
Greater Noida Institute Of Technology
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
Rexly Lasaca
 
Computer security and awareness
Computer security and awarenessComputer security and awareness
Computer security and awareness
Richard Bartlett
 
Technology Report By Noah Coffman
Technology Report By Noah CoffmanTechnology Report By Noah Coffman
Technology Report By Noah Coffman
Marq2014
 
So, you wanna be a pen tester ctsc2017
So, you wanna be a pen tester ctsc2017So, you wanna be a pen tester ctsc2017
So, you wanna be a pen tester ctsc2017
Adrien de Beaupre
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptx
Dinesh582831
 
Privacy and libraries
Privacy and librariesPrivacy and libraries
Privacy and libraries
Dorothea Salo
 
Phish training final
Phish training finalPhish training final
Phish training final
Jen Ruhman
 
Conference about Social Engineering (by Wh0s)
Conference about Social Engineering (by Wh0s)Conference about Social Engineering (by Wh0s)
Conference about Social Engineering (by Wh0s)
Marta Barrio Marcos
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Muzaffar Ahmad
 
Dec2018 istanbul-2
Dec2018 istanbul-2Dec2018 istanbul-2
Dec2018 istanbul-2
Chris Roberts
 
Security and Privacy in Implantable Medical Devices
Security and Privacy in Implantable Medical DevicesSecurity and Privacy in Implantable Medical Devices
Security and Privacy in Implantable Medical Devices
Michael Rushanan
 
Versatile Low Power Media Access for Wireless Sensor Networks
Versatile Low Power Media Access for Wireless Sensor NetworksVersatile Low Power Media Access for Wireless Sensor Networks
Versatile Low Power Media Access for Wireless Sensor Networks
Michael Rushanan
 

Weitere ähnliche Inhalte

Ähnlich wie Special Topics Day for Engineering Innovation Lecture on Cybersecurity

Dec2018 istanbul-2
Dec2018 istanbul-2Dec2018 istanbul-2
Dec2018 istanbul-2
Chris Roberts
 

Ähnlich wie Special Topics Day for Engineering Innovation Lecture on Cybersecurity (20)

Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
Ethical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer SecurityEthical Hacking - Introduction to Computer Security
Ethical Hacking - Introduction to Computer Security
 
Information security Presentation
Information security Presentation Information security Presentation
Information security Presentation
 
An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries An Introduction To IT Security And Privacy In Libraries
An Introduction To IT Security And Privacy In Libraries
 
Corp Web Risks and Concerns
Corp Web Risks and ConcernsCorp Web Risks and Concerns
Corp Web Risks and Concerns
 
5G and the Invisible Interface
5G and the Invisible Interface5G and the Invisible Interface
5G and the Invisible Interface
 
Information security consciousness
Information security consciousnessInformation security consciousness
Information security consciousness
 
hacking
hackinghacking
hacking
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Computer security and awareness
Computer security and awarenessComputer security and awareness
Computer security and awareness
 
Technology Report By Noah Coffman
Technology Report By Noah CoffmanTechnology Report By Noah Coffman
Technology Report By Noah Coffman
 
So, you wanna be a pen tester ctsc2017
So, you wanna be a pen tester ctsc2017So, you wanna be a pen tester ctsc2017
So, you wanna be a pen tester ctsc2017
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptx
 
Privacy and libraries
Privacy and librariesPrivacy and libraries
Privacy and libraries
 
Phish training final
Phish training finalPhish training final
Phish training final
 
Conference about Social Engineering (by Wh0s)
Conference about Social Engineering (by Wh0s)Conference about Social Engineering (by Wh0s)
Conference about Social Engineering (by Wh0s)
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Dec2018 istanbul-2
Dec2018 istanbul-2Dec2018 istanbul-2
Dec2018 istanbul-2
 

Mehr von Michael Rushanan

Mehr von Michael Rushanan (6)

Security and Privacy in Implantable Medical Devices
Security and Privacy in Implantable Medical DevicesSecurity and Privacy in Implantable Medical Devices
Security and Privacy in Implantable Medical Devices
 
Versatile Low Power Media Access for Wireless Sensor Networks
Versatile Low Power Media Access for Wireless Sensor NetworksVersatile Low Power Media Access for Wireless Sensor Networks
Versatile Low Power Media Access for Wireless Sensor Networks
 
Reading Group Presentation: Web Attacks on Host-Proof Encrypted Storage
Reading Group Presentation: Web Attacks on Host-Proof Encrypted StorageReading Group Presentation: Web Attacks on Host-Proof Encrypted Storage
Reading Group Presentation: Web Attacks on Host-Proof Encrypted Storage
 
Reading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationReading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of Procrastination
 
600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model
 
Reading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidReading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love Android
 

Kürzlich hochgeladen

Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
AnaAcapella
 

Kürzlich hochgeladen (20)

Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
Unit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptxUnit-V; Pricing (Pharma Marketing Management).pptx
Unit-V; Pricing (Pharma Marketing Management).pptx
 
How to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptxHow to setup Pycharm environment for Odoo 17.pptx
How to setup Pycharm environment for Odoo 17.pptx
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptxHMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
HMCS Vancouver Pre-Deployment Brief - May 2024 (Web Version).pptx
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Spatium Project Simulation student brief
Spatium Project Simulation student briefSpatium Project Simulation student brief
Spatium Project Simulation student brief
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 

Special Topics Day for Engineering Innovation Lecture on Cybersecurity

  • 1. Cybersecurity Defending our Nation’s Infrastructure in the 21st Century Paul Martin and Michael Rushanan April 15, 2012
  • 2. Who am I? Background Education Previous Internships Current Research Interests
  • 3. Who Are You? Survey says… 1.  How many of you own a personal computer? 2.  How many of you own a smartphone (Android, Blackberry, iPhone)? 3.  How many of you play video games? 4.  How many of you have programmed before? 5.  How many of you use [Windows, Mac OS X, Linux]?
  • 4. Who Are You? Now you’re on the spot… Tell us a little about yourself: •  What are your Interests? •  Have you thought about future goals, and if so – what? •  What do you hope to learn from this?
  • 6. What is a Computer? Can you list some of the computing devices that you use on a daily basis?
  • 7. What is a Computer? What separates a computer from other electronic/mechanical devices?
  • 8. What is a Computer? What sorts of computers are researchers concerned with?
  • 9. What is a Computer? What sorts of computers require security? Trick Question: ALL OF THEM!
  • 10. What is a Program? Computational processes/algorithms that are purposely built to do something. e.g. Chrome Web Browser •  Where does the browser run? •  Does the browser take input? •  What does the browser output? •  Does your chrome browser notice that iTunes is currently running (ignoring possible extension ideas)?
  • 11. What is a Program? What are some of the programs that use on a daily basis?
  • 13. What is Cybersecurity? What do you think of when you hear the term “cybersecurity”?
  • 14. What is Cybersecurity? What have you heard about cybersecurity in the news?
  • 15. What is Cybersecurity? Why do you think cybersecurity is important? Do you think it’s important?
  • 17. Computer Security The most annoying thing you will see repeatedly in your life… confidentiality Security Model integrity availability A is also for: authentication, authorization.
  • 18. Computer Security •  Information security applied to computers •  Controlling who or what has access to certain information and under what conditions they may access or modify this information •  Very broad – some examples: •  Cell phones, game consoles, ebook readers •  Medical records •  Corporate email •  Banking • Two broad areas (that overlap) •  Security •  Privacy
  • 19. Computer Security Tool Belt •  Hacking/Pen Testing •  Building Secure Systems •  Enforcing Access Control Policies •  All of these overlap with privacy issues, but ignore that for now
  • 21. Hacking The Hacker Manifesto by +++The Mentor+++ Written January 8, 1986 Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"... Damn kids. They're all alike. But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him? I am a hacker, enter my world... Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me... Damn underachiever. They're all alike. you can't stop us all... after all, we're all alike.
  • 22. Hacking I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head..." Damn kid. Probably copied it. They're all alike. I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me.. Or thinks I'm a smart ass.. Or doesn't like teaching and shouldn't be here... Damn kid. All he does is play games. They're all alike. And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. "This is it... this is where I belong..." I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all... Damn kid. Tying up the phone line again. They're all alike…
  • 23. Hacking You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert. This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for. I am a hacker, and this is my manifesto. You may stop this individual, but you can’t stop us all…after all, we’re all alike.
  • 24. Hacking •  What is hacking and what is a hacker? •  What can we hack? •  Is hacking always bad?
  • 27. The Hat System •  Traditionally “hats” are used to refer to hackers affiliation •  White hat = good, black hat = bad •  But is it really so black and white?
  • 28. Exercise #1 •  In groups of 3-4, take 10-15 minutes to go online and find something interesting that has been hacked. Define: Interesting – Take your interests mentioned earlier, and see if anything has been done in that specific domain! •  Describe to the class: •  What was being protected? •  Was this white or black hat hacking? •  What was hacked? •  How was it hacked (if applicable)? •  What was the result? •  How does this effect society?
  • 29. Exercise #2 •  Remaining in the same group, we hope you played nice, you will be appointed an interesting hacking topic for 10-15 minutes (the topic is interesting because I say it is). •  Describe to the class •  What was being protected? •  What was hacked? •  How was it hacked (if applicable)? •  What was the result? •  How does this effect society?
  • 30. How are Things Hacked?
  • 31. How are Things Hacked? •  What do you think the goal of hacking is?
  • 32. How are Programs Hacked? •  How do you own a box? •  You hack a program and take it over, gaining it’s privileges. •  You want it to execute instructions that you provide rather than what it’s programmed to do. How do you go about doing this? •  The program execution flow can be modeled by a digraph if that helps. •  (Functions, loops, conditionals). •  This is pretty standard, no matter what you are hacking, though it is not necessarily the only way that things are hacked. •  Do we want examples of how this happens (I won’t be offended if you say no)?
  • 33. How Do Security Holes Happen? •  Programmer error •  Anywhere input comes from an external source, it needs to be modified to fit specific preconditions. •  This usually doesn’t happen and that’s how computers get hacked.
  • 34. So We Hacked a Program, Now What? •  To hack a computer you hack a program to gain control of its process •  Then you hack the computer again to run as a superuser with full control over the system. •  This is short circuited if you can just hack a program running as a superuser to begin with. •  These are less common because of this security risk. •  To hack a program you typically see what programs are listening for network connections and you focus your attention here. •  Most (lazy or unpaid) people just run a scanner and determine the program/version running on a server and then look up known security holes in these programs online.
  • 35. So We Hacked a Program, Now What? •  Nowadays exploits (the way to hack a specific version of a specific program) typically come prepackaged. •  (Almost) every program has unknown vulnerabilities that can be found by experts with time (and money). (especially money)
  • 37. Privacy •  What does it mean for something to be private? •  How private is private?
  • 38. Privacy Real world application time… In the health domain, privacy is a major concern! For instance, let us imagine that we are a team of developers that have just been contracted by the CDC, Centers for Disease Control and Prevention, to develop a web application specific to the recent outbreak of Share-And-Chew. This new viral outbreak has has been linked to sharing a piece of gum (yes, pre-chewed), and has a wide spread of health complications, including death. The problem with this outbreak, specifically, is that people are generally to embarrassed to seek help and contact those they have shared gum with to seek treatment. The CDC would like us to build an anonymous notification and treatment application to solve this complex social hurdle.
  • 39. Privacy Design Requirements: 1)  Considering this is a web application, should the site be accessible over HTTP or HTTPS? If the users identity was leaked, how would it make him/her feel? What if you used an anonymous service like this; how would you feel if your identity leaked? 2)  What about a site cookie, why is this a good/bad idea? 3)  We were asked to write geolocation, from derived IP location, to the sites database for population and location spread. What is the implication of gathering such data, and should we also write the IP to the database? 4)  We are also to offer an opt out feature in which someone who received an email can choose not to receive any more. Doing so requires writing the email to the database. Should we hash this email?