System Programming CS 252 Topic 20 What is Computer/Information Security About? CS252 Topic 20

Security News in 2013 Snowden leaks information about various NSA data collection programs Phone call record Supposedly email, instant message, etc. National Security Agency http://www.pbs.org/wgbh/pages/frontline/homefront/preemption/nsa.html Facebook CEO’s page hacked by Palestinian Khalil Shreateh to demonstrate bugs in Facebook NSA: Secrecy (No such agency), Resources (Computing powers by acres, mathematicians), CS252 Topic 20

In the News in 2012: Hackers Force Apple, Amazon to Change Security Policy What happened? Hackers gained access to Mat Honan (a reporter)’s iCloud account, then (according to Honan) At 5:00 PM, they remote wiped my iPhone At 5:01 PM, they remote wiped my iPad At 5:05, they remote wiped my MacBook Air. How did the attacker get access to iCloud account? Any guess? Lessons? Security only as strong as the weakest link. Information sharing across platforms can lead to unexpected vulnerabilities We’ve heard it before: Make sure to secure your online accounts with a strong, distinct password to avoid being hacked. But what if hackers can simply circumvent the need for your password to gain access to your information? Apple ID passwords could be swapped in exchange for the email address, billing address and the last four digits of the credit card associated with the account. (Now Apple users can no longer reset their Apple IDs over the phone.) The hackers obtained the last four digits of Honan’s credit card number by breaking into his account on Amazon, which is now also tightening its security features. Amazon had required even less than Apple to change a password — only a user’s name, email address and mailing address. The hackers found the final digits of Honan’s credit card once they reset his Amazon password. CS252 Topic 20

Stuxnet (2010) Stuxnet: Windows-based Worm Worm: self-propagating malicious software (malware) Attack Siemens software that control industrial control systems (ICS) and these systems Used in factories, chemical plants, and nuclear power plants First reported in June 2010, the general public aware of it only in July 2010 Seems to be a digital weapon created by a nation-state 60% (more than 62 thousand) of infected computers in Iran Iran confirmed that nuclear program damaged by Stuxnet Sophisticated design, special targets, expensive to develop These are small embedded industrial control systems that run all sorts of automated processes: on factory floors, in chemical plants, in oil refineries, at pipelines--and, yes, in nuclear power plants. These PLCs are often controlled by computers, and Stuxnet looks for Siemens SIMATIC WinCC/Step 7 controller software. Iranian President Mahmoud Ahmadinejad has said it "managed to create problems for a limited number of our centrifuges." He also said the problems were resolved. Earlier in November, U.N. inspectors found Iran's enrichment program temporarily shut down, according to a recent report by the U.N. nuclear watchdog. The extent and cause of the shutdown were not known, but speculation fell on Stuxnet. On 1 June 2012, an article in The New York Times said that Stuxnet is part of a U.S. and Israeli intelligence operation called "Operation Olympic Games", started under President George W. Bush and expanded under President Barack Obama. In May 2011, the PBS program Need To Know cited a statement by Gary Samore, White House Coordinator for Arms Control and Weapons of Mass Destruction, in which he said, "we're glad they [the Iranians] are having trouble with their centrifuge machine and that we - the US and its allies - are doing everything we can to make sure that we complicate matters for them" offered "winking acknowledgement" of US involvement in Stuxnet.[20] According to the British Daily Telegraph, a showreel that was played at a retirement party for the head of the Israel Defence Forces (IDF), Gabi Ashkenazi, included references to Stuxnet as one of his operational successes as the IDF chief of staff.[21] CS252 Topic 20

Malware That Appear to Be Related to Stuxnet Duqu (September 2011) Use stolen certificates, exploits MS Word Flame (May 2012) A tool for cyber espionage in Middle East (infecting approx. 1000 machines, mostly in Iran) “Suicide” after being discovered 20 Mbytes, with SQLLite DB to store info, hide its own presence, exploit similar vulnerabilities as StuxNet, adjust its behavior to different Anti-Virus Presents a novel way to produce MD5 hash collision to exploit certificates CS252 Topic 20

What is Information (Computer) Security? Security = Sustain desirable properties under intelligent adversaries Desirable properties Understand what properties are needed. Intelligent adversaries Needs to understand/model adversaries Always think about adversaries. Differs from fault tolerance in that faults are random, and attacks are intelligently carried out. CS252 Topic 20

Security Goals/Properties (C, I, A) Confidentiality (secrecy, privacy) only those who are authorized to know can know Integrity (also authenticity in communication) only modified by authorized parties and in permitted ways do things that are expected Availability those authorized to access can get access CS252 Topic 20

Which of C, I, A are violated in .. The Stuxnet attack compromises integrity of software systems, availability of some control functionalities, confidentiality of some keys in order to sign malware to be loaded by Windows The Apple/Amazon attack Confidentiality of credit card digits Integrity of password Availability of data and devices The Facebook attack Integrity Potential availability concern CS252 Topic 20

A Typical Security Definition/Assertion In this system, an adversary who has access to the following ….. (known as the adversary model), cannot achieve its attack objective (or, equivalently, the following property of the system is preserved) unless the following is true (assumptions) Security is about understand precisely under what condition a system would fail. CS252 Topic 20

Computer Security Issues Malware (Malicious Software) Computer viruses Trojan horses Computer worms E.g., Morris worm (1988), Melissa worm (1999), Stuxnet (2010), etc. Spywares, scarewares, ransomwares Malwares on mobile devices Computer break-ins Email spams E.g., Nigerian scam (419 scam, advanced fee fraud), stock recommendations The number "419" refers to the article of the Nigerian Criminal Code (part of Chapter 38: "Obtaining Property by false pretences; Cheating") dealing with fraud. Since 1995, the United States Secret Service has been involved in combating these schemes. The organization doesn't investigate unless the monetary loss is in excess of 50,000 US Dollars. However, very few arrests and prosecutions have been made due to the international aspect of this crime. In 2006, a report by a research group concluded that Internet scams in which criminals use information they trick from gullible victims and commonly strip their bank accounts cost the United Kingdom economy £150 million per year, with the average victim losing £31,000. CS252 Topic 20

More Computer Security Issues Identity theft, e.g., phishing Driveby downloads Botnets Distributed denial of service attacks Serious security flaws in many important systems electronic voting machines, ATM systems Privacy in digital age Malware on ATM machines being found. It records card & PIN info. CS252 Topic 20

Why Do Computer Attacks Occur? Who are the attackers? bored teenagers, criminals, organized crime organizations, rogue (or other) states, industrial espionage, angry employees, … Why they do it? fun, fame, profit, … computer systems are where the moneys are Political/military objectives CS252 Topic 20

Why These Attacks Can Succeed? Software/computer systems are buggy Users make mistakes Technological factors Von Neumann architecture: stored programs Unsafe program languages Software are complex, dynamic, and increasingly so Making things secure are hard Security may make things harder to use What makes computers powerful? They are programmable. It is not designed to do one thing, but rather to execute any program. Why Turing Machine was considered a theoretical foundation for computer science. There exists a universal Turing Machine. Von Neumann architecture. Data can change into code. Computers do things that they are told to do. CS252 Topic 20

Why Do These Factors Exist? Economical factors Lack of incentives for secure software Security is difficult, expensive and takes time Human factors Lack of security training for software engineers Largely uneducated population Human factor. Analogy with security in the physical world. CS252 Topic 20

Security is Not Absolute Is your car secure? What does “secure” mean? Are you secure when you drive your car? Security is relative to the kinds of loss one consider security objectives/properties need to be stated to the threats/adversaries under consideration. security is always under certain assumptions (Merriam-Webster) Security: the quality or state of being secure (Merriam-Webster) Secure: a: free from danger b: free from risk of loss c: affording safety d: trustworthy, dependable Law, rules, Secure: 1. put valuable belongs in the car without worrying about them 2. drive it (long distance vs. short distance) Answer: it depends, upon: 1. where do I drive. 2. who are my adversary CS252 Topic 20

Security is Secondary What protection/security mechanisms one has in the physical world? Why the need for security mechanisms arises? Security is secondary to the interactions that make security necessary. What makes you feel secure in physical world? Buildings. Cars. Law enforcement. Airport security. Border security. Etc. Some of these do not exist in the past. Consider a village 6000 years ago. What make those people secure? Limited interaction. Robert H. Morris: father of the creator of the Morris Worm. Was a researcher at Bell Labs from 1960 until 1986. Then working at the (NSA). Served as chief scientist of the NSA's National Computer Security Center, where he was involved in the production of the Rainbow Series of computer security standards, and retired from the NSA in 1994. Robert H. Morris : The three golden rules to ensure computer security are: do not own a computer; do not power it on; and do not use it. CS252 Topic 20

Information Security is Interesting The most interesting/challenging threats to security are posed by human adversaries Security is harder than reliability Information security is a self-sustaining field Can work both from attack perspective and from defense perspective Security is about benefit/cost tradeoff Thought often the tradeoff analysis is not explicit Security is not all technological Humans are often the weakest link CS252 Topic 20

Information Security is Challenging Defense is almost always harder than attack. In which ways information security is more difficult than physical security? adversaries can come from anywhere computers enable large-scale automation adversaries can be difficult to identify adversaries can be difficult to punish potential payoff can be much higher In which ways information security is easier than physical security? Which ways information security is easier than physical security? More well-defined entry points. Lower cost of deploying high-quality security mechanisms. E.g., cryptography CS252 Topic 20

Tools for Information Security Cryptography Encryption, Message Authentication Public key encryption, Digital signature, etc. Authentication Access control Information flow control Processes and tools for developing more secure software Monitoring and analysis Recovery and response CS252 Topic 20