CSCD27 Computer and Network Security Instructor: Alan Rosselet Office: IC-494 E-mail: rosselet @ utsc utoronto ca Web: http://www.utsc.utoronto.ca/~rosselet/cscd27/ 00 Overview CSCD27 Computer and Network Security 1 Why Security 00 Overview CSCD27 Computer and Network Security 2 Why Security 00 Overview CSCD27 Computer and Network Security 3 CSCD27 Computer and Network Security 1
Why Security 00 Overview CSCD27 Computer and Network Security 4 Why Security 00 Overview CSCD27 Computer and Network Security 5 Why Security 00 Overview CSCD27 Computer and Network Security 6 CSCD27 Computer and Network Security 2
Insert slides for US govt breach, Ashley Madison breach "Ashley Madison Director of Security Mark Steele wrote in an email dated May 25, 2015. Our codebase has many (riddled?) XSS/CRSF vulnerabilities which are relatively easy to find (for a security researcher), and somewhat difficult to exploit in the wild (requires phishing). Other vulnerabilities would be things like SQL injection/data leaks, which would be much more damaging 00 Overview CSCD27 Computer and Network Security 7 "The Obama administration on Thursday revealed that 21.5 million people were swept up in a colossal breach of government computer systems that was far more damaging than initially thought, resulting in the theft of a vast trove of personal information. Every person given a government background check for the last 15 years was probably affected, hackers stole sensitive information, including addresses, health and financial history, social-security# s fingerprints and other private details. NYTimes 00 Overview CSCD27 Computer and Network Security 8 Why Security 00 Overview CSCD27 Computer and Network Security 9 CSCD27 Computer and Network Security 3
Why Security 00 Overview CSCD27 Computer and Network Security 10 Why Security "Roberts was able to connect to a box under his seat on several occasions, allowing him to view data from the aircraft's engines, fuel and flight-management systems." Roberts tweet was analyzed, and an FBI team dispatched to detain him at the airport when he landed. 00 Overview CSCD27 Computer and Network Security 11 Why Security 00 Overview CSCD27 Computer and Network Security 12 CSCD27 Computer and Network Security 4
Why Security 00 Overview CSCD27 Computer and Network Security 13 Course Content Plan of Attack Begin with a solid grounding in the algorithms that underpin much of today s digital security confidentiality: symmetric and asymmetric encryption integrity: secure hash and MAC authentication: digital signature, authentication protocols In each case, we ll examine the design of these algorithms in some depth With the fundamentals in place, we ll move on to examine some important systems security issues: code attacks and defenses authenticating humans network attacks and defenses Web attacks and defenses malware 00 Overview CSCD27 Computer and Network Security 14 Cryptography Course Topics classical crypto, Symmetric Key (DES/AES/RC4), Public Key (DH, RSA), block and stream encryption, key management Integrity and Authentication MAC, Hashes and Message Digests, Digital Signatures Authentication protocols, human authentication Crypto Software & Applications cryptographic libraries, secure email (GPG), including developing implementations of encryption algorithms 00 Overview CSCD27 Computer and Network Security 15 CSCD27 Computer and Network Security 5
Course Topics Software Security mechanics of exploits such as buffer overflow and SQL injection, and associated defenses Network Security Vulnerabilities and defenses for protocols such as ARP, 802.11 (Wifi), IP/ICMP, TCP/IP, TLS/SSL (HTTPS), DNS, including Denial of Service (DoS) Malicious Code / Malware e-mail and Web security including implementation of phishing/web attack code, viruses/worms/trojans 00 Overview CSCD27 Computer and Network Security 16 Informal Survey 1. Can you explain how RSA encryption works? AES? 2. How does HTTPS (SSL/TLS) use RSA, AES? 3. Have you coded in C or C++? Java? 4. Can you explain how a buffer-overflow exploit works? 5. Have you coded a Web app? (e.g. JavaScript, PHP)? 6. What is MD5? Is it broken? Why? 7. Can you explain how TCP/IP works? What is ARP? 8. Who is the man in the middle? 9. Have you set up a Wifi router? Configured a firewall? 10. How do you protect yourself against malware? 11. Have you run a packet sniffer or port scanner? Why? 12. Have you ever used someone else s credentials to login? 00 Overview CSCD27 Computer and Network Security 17 Learning Objectives In-depth understanding of foundationalsecurity properties: confidentiality, integrity, authentication, and state of the art algorithms to implement them these algorithms underpin much of the security the digital world relies on if you don t understand these fundamentals, you re likely to make dangerous mistakes Awareness of the role of the above algorithms (or their absence/misuse) plays in various security scenarios, e.g.: SSL/HTTPS relies on many of these algorithms even digital currency relies on them! misuse of algorithms can expose you to crypto attacks 00 Overview CSCD27 Computer and Network Security 18 CSCD27 Computer and Network Security 6
Learning Objectives Understanding causes and mitigation for common security vulnerabilities including: buffer overflows SQL injection Web attacks network attacks Experience implementing and applying state-of-the-art security algorithms, e.g.: sending secure email, implementing standard crypto algorithm(s), writing secure code 00 Overview CSCD27 Computer and Network Security 19 Learning Objectives Fluency in security policies, principles, mechanisms, issues, acronyms, problems Experience in an adversarial role, through attacks on application code, network and Web systems constructed using standard technologies, but with some vulnerabilities baked in Understand issues and methods for authenticating humans: passwords, biometrics, multi-factor systems Awareness of the evolution and current state of malware (trojans, viruses, worms) 00 Overview CSCD27 Computer and Network Security 20 Background Preparation No prior exposure to security-related ideas assumed Programming aptitude; familiarity with some Web technologies helpful Some mathematical topics covered (finite fields, modular arithmetic, number theory), but in less depth than in the Math Crypto course (MATC16) some cryptography utilizes math problems that are computationally hard without access to a key no assumptions made on the math background all concepts will be introduced as needed 00 Overview CSCD27 Computer and Network Security 21 CSCD27 Computer and Network Security 7
Information Sources Lecture slides, weekly notes and examples Tutorial notes Recommended text (not required): Cryptography and Network Security, 6e, William Stallings, Addison Wesley, 2014, ISBN-10: 0-13-335469-5 (or earlier edition) Supplement to lecture handouts, fill gaps in understanding Well written, comprehensive coverage of most course topics Web references, provided on lectures Web page 00 Overview CSCD27 Computer and Network Security 22 Evaluation 3 assignments (cumulative 50%) both written and programming components Python, CSS, HTML, JavaScript used for implementations late submit policy: see the Course Information Sheet posted on the course Web site. final exam (50%) past exam and midterm provided for studying 00 Overview CSCD27 Computer and Network Security 23 Assignments Assignments will include a mix of written problems that reinforce concepts, and programming/implementation Programming/Implementation overview: Implement code-security attacks in Python (perform unauthorized action, get root shell access) Implement encryption algorithm in Python Sniff network packets, find MD5 hash collisions, crack keys Web attacks in HTML, CSS, JavaScript, with PHP Why not stick to theory, rather than spend time on implementation? gain insight into how algorithms work, which parts are tricky/hard something to talk about in interviews 00 Overview CSCD27 Computer and Network Security 24 CSCD27 Computer and Network Security 8
Ethical Expectations o We will be covering/applying various adversarial mechanisms in the course o As a senior Computer Science student, you are expected to uphold a high standard of personal ethics o Your knowledge of attack methods does not imply permission to exploit them, except as indicated for course assignments, and/or where all involved parties have granted consent o Just because it may seem to you like harmless fun does not make it acceptable or legal behavior! o These are not idle warnings: o UT policies are strictlyenforced o Some kinds of attacks violate civil and/or criminal codes, see e.g. https://www.hackcanada.com/canadian/freedom/canadacode.html o RCMP charge straight-a CS student in CRA Heartbleed breach o If in doubt about whether you can/should perform some act related to course topics, consult with the instructor or TA first 00 Overview CSCD27 Computer and Network Security 25 Lectures Conduct of the Course Background ideas, conceptual explanations, high-level examples Lecture slides posted on course Web site Tutorials Examples related to assignments worked out in detail Test problems from prior years Opportunity to interact with TA and classmates while working on assignment problems 00 Overview CSCD27 Computer and Network Security 26 CSCD27 Computer and Network Security 9