CIS 2050 Lecture Notes - Lecture 5: Industrial Control System, Elk Cloner, Stuxnet
2 May 2018
School
Department
Course
Professor
Describe the historical development of cybercrime due to the
introduction of the Internet.
1.
Identify some of the techniques of viruses, the different types
and their design.
2.
Explain preventive methods of hacking, and the design of a
secure system.
3.
Describe the systems approach to build a security system, and
how it is different from the traditional approach.
4.
Learning Outcomes:
Stuxnet virus that ravaged Iran's Nataz nuclear facility was far
more dangerous then the cyberweapon that is now lodged in
the public's imagination
!
Stuxnet is known for destroying nuclear centrifuges by
causing them to spin out of control
!
Designed to secretly draw the equivalent of an electrical
blueprint of the Natanz plant to understand how the
computers control the centrifuges to enrich uranium
○
The worm (delivered through a worker's thumbdrive)
subtly increased the pressure on spinning centrifuges
while showing the control room that everything
appeared normal by replaying recordings of the plant's
protection system values during the attack
○
Intended effect was not destroying the centrifuges, but
reducing lifetime of Iran's centrifuges and making the
Iranian's fancy control systems appear beyond their
understanding
○
Previous element changed global military strategy in the 21st
century
!
Only after years of undetected infiltration did the US and
Israel unleash the second variation to attack the centrifuges
themselves and self-replicate to all sorts of computers
!
While the second Stuxnet is considered the first cyber
act of force, the new details reveal that the impact of the
first virus will be much greater
○
That’s because the initial attack provided a useful
blueprint to future attackers by highlighting the royal
road to infiltration of hard targets
○
The fist version was only detected with the knowledge of the
second
!
Pretty much every single industrial or military facility that
uses industrial control systems at some scale is dependent on
its network of contractors, many of which are very good at
narrowly defined engineering tasks, but lousy at cybersecurity
!
Most modern plants operate with a standardized
industrial control system, so if one gets control of one
industrial control system, they can infiltrate many more
○
Civilian critical infrastructure becomes a troubling potential
target
!
Read: Business Insider. Stuxnet attack on Iran's nuclear plant was
'far more dangerous' than previously thought.
When this replication succeeds, the affected areas are
then said to be infected with a computer virus
○
A computer virus is a type of malicious software program
(malware) that replicates itself when executed by modifying
other computer programs and inserting its own code
!
The vast majority of viruses target systems running
Microsoft Windows, employing a variety of
mechanisms to infect new hosts, and often using
complex anti-detection/stealth strategies to evade
antivirus software
○
Motives: profits, political messages, amusement,
demonstrate vulnerability in software or to explore
cyber security issues/ artificial life/ evolutionary
algorithms
○
Virus writers use social engineering deceptions and exploit
detailed knowledge of security vulnerabilities to initially
infect systems and spread the virus
!
In response, fee and open-source antivirus tools have
been developed and an industry of antivirus software
has cropped up
○
As of 2005, even though no currently existing antivirus
software was able to uncover all computer viruses,
computer security researchers are actively searching for
new ways to enable antivirus solutions to more
effectively detect emerging viruses before they are
widely distributed
○
Computer viruses cause billions of dollars worth of economic
damage each year due to causing system failure, wasting
computer resources, corrupting data, increasing maintenance
costs….etc.
!
The majority of active malware threats are actually
trojan horse programs or other computer worms, rather
than computer viruses
○
The term computer virus is a misnomer
○
Acquisition of hard disk space or central
processing unit (CPU) time
!
Accessing private information
!
Corrupting data
!
Displaying political or humorous messages on the
user's screen
!
Spamming their email contact
!
Logging their keystrokes
!
Rendering the computer useless
!
Viruses often perform some type of harmful activity on
infected host computers, such as:
○
The defining characteristic of viruses is that they
are self-replicating computer programs which
modify other software without user consent
!
Not all computer viruses carry a destructive "payload"
and attempt to hide themselves
○
"Malware" encompasses computer viruses along with many
other forms of malicious software (computer worms,
ransomware, spyware, adware, trojan horses, keyloggers,
rootkits, bootkits, malicious browser helper object aka BHO)
!
Design for a self-reproducing computer program
is considered the first computer virus
!
He is considered to be the theoretical "father" of
computer virology
!
First academic work on the theory of self-replicating
computer programs was done in 1949 by John von
Neuman
○
Described a fully functional virus written in
assembler programming language for a SIEMENS
4004/35 computer system
!
In 1972, Veith Risak built upon this work
○
In 1980 Jürgen Kraus postulated that computer
programs can behave in similar ways to biological
viruses
○
Gained access via ARPANET and copied
itself to the remote system where there was
a message "I'm the creeper, catch me if you
can!" displayed
"
Reaper program was created to deleted
Creeper
"
1970s: Creeper virus used ARPANET to infect
DEC PDD-10 computers running the TENEX
operating system
!
Written by a 9th grader as a practical joke
"
Virus attached itself to the Apple DOS 3.3
operating system and spread via floppy disk
(injected in a game)
"
On its 5th use, the virus would be activated,
infecting the personal computer and
displaying a short poem beginning with
"Elk Cloner: the program with a
personality"
"
1982: "Elk Cloner" was first personal computer
virus (to appear outside a computer lab)
!
No algorithm that can perfectly detect all
possible viruses
"
Theoretical compression virus -example of
a virus which was not malware but well-
intentioned (benevolent)
"
*1987: Fred Cohen termed the word "virus: with
his paper "Computer Viruses -Theory and
Experiments"
!
1984: use of virus functions to provide virtual
APL interpreter under user control -J.B. Gunn
!
Deter unauthorized copying of software
they had written
"
1986: first IMB PC virus in the "wild" = ©Brain
!
Relied on DOS interrupts
"
1992: first virus to target Microsoft Windows,
WinVir was discovered
!
1996: Boza virus targeted Windows 95
!
1997: encrypted, memory resident stealth virus
Win32.Canabanas was released -first known
virus to target Windows NT (and 3.0 and 9x
hosts)
!
1987: SCA virus targeted home computers
!
Users would be required to click on a link
to activate the virus, which would then send
an email containing user data to an
anonymous email address
"
This included IP address, email address,
contacts, website browing history, and
commonly used phrases
"
2001: Win32.5-0-1 targeted MSN Messenger and
online bulletin boards
!
2008: larger websites used part of Win32.5-0-1 to
track web users advertising-related interests
!
First examples:
○
Historical Development:
!
Every computer virus must also contain a
routine to copy itself into the program
which the search routine locates
"
*a viable virus must contain a search routine,
which locates new files or new disks which are
worthwhile targets for infection
!
Typically has a search routine, which
locates new files or new disks for
infection
!
Infection mechanism (or vector) -how the
virus spreads or propagates
"
Such as: particular date/time,
presence of another program, capacity
of the disk exceeding some limit, or a
double-click that opens a particular
file
!
Trigger (logic bomb) -the compiled version
that could be activated any time an
executable file with the virus is run that
determines the event or condition for the
malicious "payload" to be activated or
delivered
"
May be noticeable (as most of the
time the payload itself is harmful
activity) or sometimes non-
destructive but distributive, terms the
Virus hoax
!
Payload -the actual body or data that
perform the actual malicious purpose of the
virus
"
Main three parts:
!
Parts:
○
Virus program is idle but has managed to
access the target user's computer or
software, but during this stage, the virus
does not take any action
"
Virus will be activated by the "trigger"
"
Not all viruses have this stage
"
Dormant phase
!
Virus starts proagating (multiplying and
replicating)
"
Virus places a copy of itself into other
programs or into certain system areas on the
disk
"
Viruses often morph or change to
evafe detection
!
Copy may not be identical to the
propagating version
"
Each infected program will not contain a
clone of the virus, which will itself enter a
propagation phase
"
Propagation phase
!
Dormant virus moves into this phase when
it is activated
"
Can be caused by a variety of system events
(including a count of the number of times
that is copy of the virus has made copies of
itself)
"
Triggering phase
!
Actual work of the virus, where the payload
will be released
"
It can be destructive such as deleting files
on disk, crashing the system, or corrupting
files or relatively harmless such as popping
up humorous or political messages on-
screen
"
Execution phase
!
Phases:
○
Operations and Functions:
!
Resident viruses overwrite interrupt
handling code or other functions, and when
the operating system attempts to access the
target file or disk sector, the virus code
intercepts the request and redirects the
control flow to the replication module,
infecting the target
"
A memory-resident virus installs itself as part of
the operating system when executed, after which
it remains in RAM from the time the computer is
booted up to when it is shut down
!
A non-memory-resident virus when executed,
scans the disk for targets, infects them and then
exits
!
Resident vs Non-resident Viruses
○
Many common applications (Microsoft
Outlook/Word) allow macro programs to be
embedded in documents or emails, so that the
programs may be run automatically when the
document is opened
!
A macro (document) virus is a virus that is written
in a macro language, and embedded into these
documents so that when users open the file, the
virus code is executed and can infect the user's
computer
!
Macro Viruses
○
Specifically target the boot sector and/or the
Master Boot Record (MBR) of the host's hard
drive or removable storage media
!
Boot Sector Viruses
○
Intentionally uses the email system to spread
!
While virus infected files may be accidentally
send as email attachments, email viruses are
aware of email system functions
!
Generally target a specific type of email system
(Microsoft Outlook is most common), harvest
email addresses from various sources and may
append copies of themselves to all email sent, or
may generate email messages containing copies
of themselves as attachments
!
Email Virus
○
Infection Targets and Replication Techniques:
!
Does not fool antivirus software
"
Some old viruses (especially on MS-DOS
platform) make sure the "last modified" date of a
host file stays the same when the file is infected
by the virus
!
= cavity viruses
!
Overwrite unused areas of executable files
"
Ex. Chernobyl Virus (CIH) infects portable
executable files
"
Some viruses can infect files without increasing
their sizes or damaging the files
!
Some viruses try to avoid detection by killing the
tasks associated with antivirus software before it
can detect them (ex. Conficker)
!
In order to avoid detection, some viruses employ
different kinds of deception
○
In Microsoft Windows operating systems,
the NTFS file system is proprietary
"
Leaves antivirus software little alternative
but to send a "read" request to Windows OS
files that handle such requests
"
Some viruses trick antivirus software by
intercepting its requests to the Operating
System
"
A virus can hide by intercepting the request
to read the infected file, handling the
request itself, and returning an uninfected
version of the file to the antivirus software
"
Interception can occur by code injection of
the actual operating system files that would
handle the read request
"
Thus, an antivirus software attempting to
detect the virus will either not be given
permission to read the infected file, or the
"read" request will be served with the
uninfected version of the same file
"
Once infection occurs, any recourse to "clean"
system is unreliable
!
Security software can then be used to check
the dormant operating system files
"
Most security software relies on virus
signatures, or they employ heuristics
"
Security software may also use a database
of the file "hashes" for Windows OS files,
so the security software can identify altered
files, and request Windows installation
media to replace them with authentic
versions
"
Therefore, using file hashes to scan
for altered files would not always
guarantee finding an infection
!
In older versions of Windows, file
cryptographic hash functions of Windows
OS files stored in Windows (to allow file
integrity/authenticity to be checked) could
be overwritten so that the System File
Checker would report that altered system
files are authentic
"
The only reliable method to avoid stealth viruses
is to "reboot" from a medium that is known to be
clear
!
Read Request Intercepts:
○
*most antivirus programs try to find virus-
patterns inside ordinary programs by scaning
them for virus signatures
!
One method of signature detection evasion
is to use simple encryption to encipher
(encode) in the body of the virus, leaving
only the encryption module and a static
cryptographic key in the cleartext (which
does not change from one infection to the
next)
"
Virus consists of a small decrypting module
and an encrypted copy of the virus code
"
Virus scanner can still detect decrypting
module indirectly
"
Self-modifying code is such a rarity that is
bay be reason for virus scanners to at least
"flag" the file as suspicious
"
An old but compact way will be the use of
arthimetric operation and the use of logical
conditional
"
= cyptovirology
!
At these times, the executable will
decrypt the virus and execute its
hidden runtime, infecting the
computer and sometimes diaabling
the antivirus software
!
Some viruses will employ a means of
encryption inside an executable in which
the virus is encrypted under certain events,
such as the virus scanner being diables for
updates or the computer being rebooted
"
Encrypted Viruses
!
First technique that posed serious threat to
virus scanners
"
Infects files with an encrypted copy of
itself, which is decoded by a decryption
module, which itself is modified on each
infection
"
Therefore, a polymorphic virus can no parts
which reamin identical between infections
"
Antivirus software can detect it by
decrypting the viruses using an emulator, or
by statistical pattern analysis of the
encrypted virus body
"
To enable polymorphic code, the virus has
to have a polymorphic engine somewhere in
its encrypted body
"
Makes it more difficult for antivirus
professionals and investigators to
obtain representative sample of the
virus
!
Can employ polymorphic codes that
constrains the mutation rate
"
Polymorphic Code
!
Some viruses rewrite themselves
completely each time they are to infect new
executables
"
Viruses that utilize this technique are said to
be in metamorphic code (with a
metamorphic engine)
"
A metamorphic virus is usually large and
complex (ex. W32/Simile)
"
Metamorphic Code
!
Self-Modification
○
Stealth Techniques:
!
Software is designed with security features to
prevent unauthorized use of system resources,
many viruses must exploit and manipulate
security bugs, which are security defects in a
system or application software, to spread
themselves and infect other computers
!
Software development strategies that produce
large number of "bugs" will generally also
produce potential exploitable "holes" or
"entrances" for the virus
!
Software Bugs
○
In order to replicate itself, a virus must be
permitted to execute code and writ to memory
!
For this reason, many viruses attach themselves to
executable files that may be part of legitimate
programs
!
If a user attempts to launch an infected program,
the virus' code may be executed simultaneously
!
Social Engineering and Poor Security Practices
○
Due to Microsoft's large market share of
desktop computer users
"
Vast majority of viruses target systems running
Microsoft Windows
!
Diversity of software systems on a network limits
the destructive potential of viruses and malware
!
Many windows users are running the same
set of applications, enabling viruses to
rapidly spread among Microsoft Windows
systems by targeting the same exploits on a
large number of hosts
"
Open-source operating systems such as Linux
allow users to choose from a variety of desktop
environments, which means that malicious code
targeted any of these systems will only affect a
small subset of users
!
Window users are generally not prevented from
making changes to operating systems
!
Vulnerability of Different Operating Systems
○
Vulnerabilities and Infection Vectors:
!
Antivirus software can detect and eliminate
known viruses when the computer attempts to
download or run the executable file (which may
be distributed as email attached or on USB flash
drives)
!
Some antivirus software blocks unknown
malicious websites that attempt to install malware
!
Users must update their software regularly
to patch security vulnerabilities (holes) and
recognize the latest threats
"
Antivirus software does not change the
underlying capability of hosts to transmit viruses
!
German AV-TEST institute published evaluations
of antivirus software for Windows and Android
!
Exmaine the conent of the computer's
memory (its Random Acess Memory
aka RAM and boot sectors) and the
files stored on fixed or removeable
devices, and comparing those files
against a fatabase of known
"signatures"
!
Virus signatures are just strings of
code that are used to identify
individual viruses
!
1st: using list of virus signature definitions
"
Has ability to detect new viruses for
which antivirus security firms have
yet to define a "signature"
!
Gives rise to more false positives vs
using signatures
!
2nd: using heuristic algorithm based on
common virus behaviours
"
Two common methods:
!
Antivirus Software
○
Timely operating system updates
!
Software updates
!
Careful internet browsing
!
Installation of only trusted software
!
Other preventative Measures:
○
Virus Removal
!
Operating System Reinstallation
!
Recovery Strategies and Methods
○
Cross-site scripting -exploit websites to send
emails or messages with links to one's contacts to
propagate virus
!
Viruses and the Internet
○
Countermeasures:
!
Read: Computer Virus (Wikipedia)
Changes in engineering are making traditional safety analysis
techniques increasingly less effective
!
New, more powerful safety analysis techniques based on
systems theory
!
Systems theory can provide a powerful foundation for security
and safety
!
Safety experts -see their role as preventing losses due to
unintentional actions by benevolent actors
○
Security experts -see their role as preventing losses due
to intentional actions by malevolent actors
○
Key difference is the intent of the actor that produced
the loss of the event
○
Safety vs Security
!
Overall role of the entire socio-technical system as a
whole in achieving security and safety can be
considered, not just low-level hardware or operator
behaviour
○
More efficient use of resources and the potential for
resolving conflicts between safetyp and security early in
the development process
○
By taking a common top-down system engineering approach
to security and safety, several benefits accrue
!
Goal is to ensure the critical functions and
ultimately the services that the network and the
systems provide are maintained in the face of
disruptions
!
Goal of security is not to guard the physical network
and prevent intrusions, which is threat focuses
○
By changing to a strategic viewpoint, rather than
starting with tactics, security analysts and defenders can
proactively shape the situation by identifying and
controlling system vulnerabilities rather than defending
from a position of disadvantage by being forces to react
to continually changing threats and other environmental
disruptions
○
Applying systems theory and systems engineering to security
measures requires intially focusing on high level strategy
!
Security focuses on how defenders can close holes in
their networks that might otherwise allow adversaries to
gain access and create disruptions
○
Cybersecurity is typically framed as a battle between
intelligent adaptive adversaries and defenders
!
Tactics -prudent means to accomplist a specific action
○
*tactics is focused on physical threats, while strategy is
focused on abstract outcomes
○
Strategy -art of gaining and maintaining a continuing
advantage
!
Tactic models treat the treat as the cause of the loss
○
In tactic models, losses are conceptualized as specific events
caused by threats
!
Can then analyze their systems to determine the most
ikely route attackers may take to achieve their goal
○
Resourcees can then be allocated to erect a "defense in
depth" to prevent losses
○
Preventing losses is heavily dependent on the degree to which
security analysts can correctly identify potential attacjers
!
Result is a small and more manageable set of potential
losses stated at a high level of abstraction
○
Tactics: wuestion of how to best guard the
network against threats
!
Begins with questions about what essential services and
functions must be secured against disruptions and what
represents an unacceptable loss
○
Analysis moves from general to specific, from abstract
to concrete
○
In contrast to a tactics-based, bottom up approach, a top-
down , strategic approach starts with identifying the system
losses that are unacceptable and against which the system
must be protected
!
Provides philosophical and intellectual foundation for
systems engineering and for a new, more inclusive
model of accident causality called System-Theoretic
Accident Model and Processes (STAMP)
○
Initial error = root cause which leads to the failure
of other components until the loss occurs
!
Effective for systems with limited complexity
!
Traditional causality models used in safety attribute
accidents to an initial component failure or human error
that cascades through a set of other components
(dominoes)
○
Envisions losses as resulting from interactions
among humans, physical stem components and
the environment that leads to the violation of
safety constraints
!
Focus shifts from "preventing failures" to
"enforcing safety constraints on system
behaviour"
!
STAMP --> security and safety
○
Constraints on system behaviour are enforced by
controls in a hierarchical control structure, where each
level of the structure enforces the required constraints
on the behaviour on the components are the next lower
level
○
In systems and control theory, every controller must
contain a model of the process it is controlling
○
Performing safety (hazard) and security
(vulnerability) analysis allows a broad perspective
on potential causes for a loss
!
Providing a control action that leads to a
hazard
"
Not providing a control action that is
needed to prevent a hazard
"
Providing a control action too early or too
late out of sequence
"
Continuing a control action too long or
stopping it too soon
"
First step is to identify potentially unsafe control
actions:
!
STPA (System-Theoretic Process Analysis) is a new
hazard analysis technique based on STAMP
○
Addition of intentional actions in the generation
of the causal scenarios
!
STP-Sec is an extension to STPA to include security
analysis
○
Focusing on strategy can be achieved by adopting a new
systems-theoretic causality model recently developed to
provide a more powerful approach to engineering for safety
!
Key question: how to control vulnerabilities (rather than
avoid threats)
○
By using a causality model based on systems theory, an
integrated and more powerful approach to safety and security
is possible
!
Read: Integrated approach to safety and security based on systems
theory
Some target power, utilities and infrastructure
○
Computer viruses and trojans are designed from stealing data
to watching you through your webcam
!
30,000 new infected websites every day
○
>80% are small businesses
○
~250,000 new pieces of malware every day
!
Can now test quality of viruses
○
Technical installation guides
!
Technical support
!
Have crime packs with business intelligence dashboards
to manage distribution of their codes (Black hole)
○
Cybercriminals are professional and organized
!
Email
○
USB keys
○
Will re-direct webpage
!
Fake antivirus will open -create serious alerts
!
Provides attackers with access to data
!
In order to clean up fake viruses, need to register
the product
!
Comments on webpage
○
Ways to become infected:
!
Attacks can occur incredible quickly -virus will writ out
malicious code
!
Use secure coding practices
!
Convenience vs. privacy and security
○
Even when not using wireless connectivity, one can see the
networks one has previously connected to via wireless
scanning
!
Watch: Everyday cybercrime and what you can do about it
Internet has problems with security and privacy
!
Code says where it is from
○
Basit and Amjad --> phone number and address in
Pakistan
○
Brain.A -first virus found on PC computers (1986)
!
Used to be fairly easy to know when computer was
affected
○
Viruses are found every day at massive counts
(10,000-100,000s every day)
○
Viruses have evolved
!
Keyloggers -record everything you type
!
Can get access to passwords, financial
information, etc.
!
Once you infect a computer, someone can buy the
computer
○
Now have a whole underground market and business
ecosystem built on online crime
○
'gangs' make viruses
!
Online crime generates so much money they can invest
in themselves (hire people, watch security)
○
I.M.U. -cybercrime operation that made millions
!
Do not have capability to globally track these
○
One single malware family moves throughout the world: will
shift from one country to another
!
Encrypting code can cause downloads
!
Vast majority of online crime cases goes nowhere
!
A PLC was infected by Stuxnet
○
We are reliant on these computers working
○
PLCs -run infrastructure around us (ex. Elevators)
!
Fault-tolerance
○
Relying on technology should not mean we can't operate
without it
!
Need more global, international law enforcement work
○
More important than running firewalls or antivirus
software
○
If we don’t fight online crime, we are running a risk of losing
it all
!
Watch: Fighting viruses, defending the net
Can download product data from the web, personalize it and
have information sent to a desktop machine that will fabricate
it on the spot
!
Additive manufacturing = 3D printing
!
Builds objects layer by layer
○
Typically have been too inefficient, expensive, and
inaccessible
○
Will change and disrupt the landscape of manufacturing
○
3D printers have been around for 30 years but are just starting
to filter into the public arena
!
Data gets sent to a machine that slices data into 2D
layers
○
Deposits material layer over layer and fuses them
together through additive mechanisms
○
Depositing and then melting OR melting and depositing
○
Typically reads CAD data
!
Can abolish need for manual labor
○
Can have incredible resolution
○
Products are very intricate -more intricate than any other
manufacturing process
!
Used by product designers, architects (prototypes), engineers
!
Very little economies of scale
!
Uses less material waste
○
Products can become more efficient
!
Implants can be specific to individuals
○
Can create implants that are highly porous -less chance of
rejection
!
As detail and quality is improving, these machines are
becoming less expensive and faster
!
Processes are starting to break down barriers
○
Technology is going to cause revolution in
manufacturing
○
Most public does not know how to use data in 3D printers
!
Google SketchUp -create products from scratch
!
Machines can fabricate themselves
!
Variant production existed before but now we can
further manipulate products
○
--> next generation of customization
!
Software will keep individual within the bounds of reality
(and safety)
!
Dental fillers
○
Implants (MRI --> unique)
○
Layering cells to create body parts is in working
progress
○
Can be used for prosthetics that are specific to the individual
!
Watch: Primer on 3D printing
Frustrated to have a unique password for each system used
!
Eight characters
○
Uppercase and lowercase
○
Digit
○
Symbol
○
No more than 3 of any letter
○
Cannot be in dictionary
○
New password policy:
!
Passwords must have a lot of entropy (strength)
!
Felt more secure with new passwords
!
80% re-use password -more susceptible to
attackers
!
Most common symbol (~40%) is "!"
!
Study at university about passwords from 470 students,
faculty, and staff
○
Collected 5000 passwords with various policies
!
Only a small number of symbols were still used
!
Some did have long passwords that
were not very strong -requires
additional requirements
!
Long passwords are more secure and may
even be stronger than complex passwords
"
Not a good measure of password strength -
figured out how fast they could crack these
passwords
!
Made people create passwords (amazon mechanical
turk)
○
No actual "good" data on passwords -cannot measure entropy
!
Guess passwords that are most common (password,
iloveyou…etc)
○
Hackers will run various passwords through a hash function to
see if they match up
!
Tested different password meters
○
Password meters do work and are fairly effective
○
Most effective were ones that made you work harder
before they provided feedback (positive)
○
Password meters: do they actually work?
!
Used mechanical turk but made computer pick random
words in passphrase
○
One condition: random common dictionary words
○
Another condition: different word types (more
memorable)
○
Pronounceable passwords -not real words
○
Pronounceable passwords were better
!
People were not better at remembering these
passphrases
○
Use passphrases vs. passwords
!
Computer science students had passwords 1.8x stronger
than business passwords
○
Analyzed 25,000 real passwords
!
Monkey -pet named monkey; thye like monkey; monkey as a
nickname
!
Either make passwords easy to type/remember, something
familiar or something that makes us happy
!
Watch: What is wrong with your pa$$word?
Normally, computing technology is never completely secure
and safety-proof (even in a nuclear plant or bank account)
!
The race to make a computing system secure and safe is
an on-going concern, and it affects concepts in the
design of security systems
○
Cybercrime is never too far off when technology interacts
with the Internet
!
All of them require an entry point into your computer
system
○
Some of them can reside in the most critical part of the
system, and others may change their code from one
iteration to another
○
There are many types of computer viruses
!
It is top-down, strategic, evaluating between interacting
elements rather than ad hoc
○
It may also sacrifice lesser important components to
secure the more important ones
○
The systems approach to designing a secure computing system
has a better bet to secure a computing system
!
Key Points:
Keep an updated system after update is stabilized
○
Use an acceptable password (sufficient length, no
common words, not reused across different platforms)
○
Have some forms of security measure such as firewall
and regular virus scan
○
What are some ways you can secure your computer system?1.
Threats to manufacturing innovations
○
Creation of unauthorized objects (like firearms)
○
What are the security issues with 3D printing?2.
Laws are usually national
○
Differentiation between fair and unfair use of
intellectual property can be difficult
○
Difficultly in determining criminal responsibilities
○
Why is it hard to define and prosecute crime in the internet?3.
Questions:
Safety & Security
#$%&'()*+, -./&%)&*, 0+,1230
4521,67
Describe the historical development of cybercrime due to the
introduction of the Internet.
1.
Identify some of the techniques of viruses, the different types
and their design.
2.
Explain preventive methods of hacking, and the design of a
secure system.
3.
Describe the systems approach to build a security system, and
how it is different from the traditional approach.
4.
Learning Outcomes:
Stuxnet virus that ravaged Iran's Nataz nuclear facility was far
more dangerous then the cyberweapon that is now lodged in
the public's imagination
!
Stuxnet is known for destroying nuclear centrifuges by
causing them to spin out of control
!
Designed to secretly draw the equivalent of an electrical
blueprint of the Natanz plant to understand how the
computers control the centrifuges to enrich uranium
○
The worm (delivered through a worker's thumbdrive)
subtly increased the pressure on spinning centrifuges
while showing the control room that everything
appeared normal by replaying recordings of the plant's
protection system values during the attack
○
Intended effect was not destroying the centrifuges, but
reducing lifetime of Iran's centrifuges and making the
Iranian's fancy control systems appear beyond their
understanding
○
Previous element changed global military strategy in the 21st
century
!
Only after years of undetected infiltration did the US and
Israel unleash the second variation to attack the centrifuges
themselves and self-replicate to all sorts of computers
!
While the second Stuxnet is considered the first cyber
act of force, the new details reveal that the impact of the
first virus will be much greater
○
That’s because the initial attack provided a useful
blueprint to future attackers by highlighting the royal
road to infiltration of hard targets
○
The fist version was only detected with the knowledge of the
second
!
Pretty much every single industrial or military facility that
uses industrial control systems at some scale is dependent on
its network of contractors, many of which are very good at
narrowly defined engineering tasks, but lousy at cybersecurity
!
Most modern plants operate with a standardized
industrial control system, so if one gets control of one
industrial control system, they can infiltrate many more
○
Civilian critical infrastructure becomes a troubling potential
target
!
Read: Business Insider. Stuxnet attack on Iran's nuclear plant was
'far more dangerous' than previously thought.
When this replication succeeds, the affected areas are
then said to be infected with a computer virus
○
A computer virus is a type of malicious software program
(malware) that replicates itself when executed by modifying
other computer programs and inserting its own code
!
The vast majority of viruses target systems running
Microsoft Windows, employing a variety of
mechanisms to infect new hosts, and often using
complex anti-detection/stealth strategies to evade
antivirus software
○
Motives: profits, political messages, amusement,
demonstrate vulnerability in software or to explore
cyber security issues/ artificial life/ evolutionary
algorithms
○
Virus writers use social engineering deceptions and exploit
detailed knowledge of security vulnerabilities to initially
infect systems and spread the virus
!
In response, fee and open-source antivirus tools have
been developed and an industry of antivirus software
has cropped up
○
As of 2005, even though no currently existing antivirus
software was able to uncover all computer viruses,
computer security researchers are actively searching for
new ways to enable antivirus solutions to more
effectively detect emerging viruses before they are
widely distributed
○
Computer viruses cause billions of dollars worth of economic
damage each year due to causing system failure, wasting
computer resources, corrupting data, increasing maintenance
costs….etc.
!
The majority of active malware threats are actually
trojan horse programs or other computer worms, rather
than computer viruses
○
The term computer virus is a misnomer
○
Acquisition of hard disk space or central
processing unit (CPU) time
!
Accessing private information
!
Corrupting data
!
Displaying political or humorous messages on the
user's screen
!
Spamming their email contact
!
Logging their keystrokes
!
Rendering the computer useless
!
Viruses often perform some type of harmful activity on
infected host computers, such as:
○
The defining characteristic of viruses is that they
are self-replicating computer programs which
modify other software without user consent
!
Not all computer viruses carry a destructive "payload"
and attempt to hide themselves
○
"Malware" encompasses computer viruses along with many
other forms of malicious software (computer worms,
ransomware, spyware, adware, trojan horses, keyloggers,
rootkits, bootkits, malicious browser helper object aka BHO)
!
Design for a self-reproducing computer program
is considered the first computer virus
!
He is considered to be the theoretical "father" of
computer virology
!
First academic work on the theory of self-replicating
computer programs was done in 1949 by John von
Neuman
○
Described a fully functional virus written in
assembler programming language for a SIEMENS
4004/35 computer system
!
In 1972, Veith Risak built upon this work
○
In 1980 Jürgen Kraus postulated that computer
programs can behave in similar ways to biological
viruses
○
Gained access via ARPANET and copied
itself to the remote system where there was
a message "I'm the creeper, catch me if you
can!" displayed
"
Reaper program was created to deleted
Creeper
"
1970s: Creeper virus used ARPANET to infect
DEC PDD-10 computers running the TENEX
operating system
!
Written by a 9th grader as a practical joke
"
Virus attached itself to the Apple DOS 3.3
operating system and spread via floppy disk
(injected in a game)
"
On its 5th use, the virus would be activated,
infecting the personal computer and
displaying a short poem beginning with
"Elk Cloner: the program with a
personality"
"
1982: "Elk Cloner" was first personal computer
virus (to appear outside a computer lab)
!
No algorithm that can perfectly detect all
possible viruses
"
Theoretical compression virus -example of
a virus which was not malware but well-
intentioned (benevolent)
"
*1987: Fred Cohen termed the word "virus: with
his paper "Computer Viruses -Theory and
Experiments"
!
1984: use of virus functions to provide virtual
APL interpreter under user control -J.B. Gunn
!
Deter unauthorized copying of software
they had written
"
1986: first IMB PC virus in the "wild" = ©Brain
!
Relied on DOS interrupts
"
1992: first virus to target Microsoft Windows,
WinVir was discovered
!
1996: Boza virus targeted Windows 95
!
1997: encrypted, memory resident stealth virus
Win32.Canabanas was released -first known
virus to target Windows NT (and 3.0 and 9x
hosts)
!
1987: SCA virus targeted home computers
!
Users would be required to click on a link
to activate the virus, which would then send
an email containing user data to an
anonymous email address
"
This included IP address, email address,
contacts, website browing history, and
commonly used phrases
"
2001: Win32.5-0-1 targeted MSN Messenger and
online bulletin boards
!
2008: larger websites used part of Win32.5-0-1 to
track web users advertising-related interests
!
First examples:
○
Historical Development:
!
Every computer virus must also contain a
routine to copy itself into the program
which the search routine locates
"
*a viable virus must contain a search routine,
which locates new files or new disks which are
worthwhile targets for infection
!
Typically has a search routine, which
locates new files or new disks for
infection
!
Infection mechanism (or vector) -how the
virus spreads or propagates
"
Such as: particular date/time,
presence of another program, capacity
of the disk exceeding some limit, or a
double-click that opens a particular
file
!
Trigger (logic bomb) -the compiled version
that could be activated any time an
executable file with the virus is run that
determines the event or condition for the
malicious "payload" to be activated or
delivered
"
May be noticeable (as most of the
time the payload itself is harmful
activity) or sometimes non-
destructive but distributive, terms the
Virus hoax
!
Payload -the actual body or data that
perform the actual malicious purpose of the
virus
"
Main three parts:
!
Parts:
○
Virus program is idle but has managed to
access the target user's computer or
software, but during this stage, the virus
does not take any action
"
Virus will be activated by the "trigger"
"
Not all viruses have this stage
"
Dormant phase
!
Virus starts proagating (multiplying and
replicating)
"
Virus places a copy of itself into other
programs or into certain system areas on the
disk
"
Viruses often morph or change to
evafe detection
!
Copy may not be identical to the
propagating version
"
Each infected program will not contain a
clone of the virus, which will itself enter a
propagation phase
"
Propagation phase
!
Dormant virus moves into this phase when
it is activated
"
Can be caused by a variety of system events
(including a count of the number of times
that is copy of the virus has made copies of
itself)
"
Triggering phase
!
Actual work of the virus, where the payload
will be released
"
It can be destructive such as deleting files
on disk, crashing the system, or corrupting
files or relatively harmless such as popping
up humorous or political messages on-
screen
"
Execution phase
!
Phases:
○
Operations and Functions:
!
Resident viruses overwrite interrupt
handling code or other functions, and when
the operating system attempts to access the
target file or disk sector, the virus code
intercepts the request and redirects the
control flow to the replication module,
infecting the target
"
A memory-resident virus installs itself as part of
the operating system when executed, after which
it remains in RAM from the time the computer is
booted up to when it is shut down
!
A non-memory-resident virus when executed,
scans the disk for targets, infects them and then
exits
!
Resident vs Non-resident Viruses
○
Many common applications (Microsoft
Outlook/Word) allow macro programs to be
embedded in documents or emails, so that the
programs may be run automatically when the
document is opened
!
A macro (document) virus is a virus that is written
in a macro language, and embedded into these
documents so that when users open the file, the
virus code is executed and can infect the user's
computer
!
Macro Viruses
○
Specifically target the boot sector and/or the
Master Boot Record (MBR) of the host's hard
drive or removable storage media
!
Boot Sector Viruses
○
Intentionally uses the email system to spread
!
While virus infected files may be accidentally
send as email attachments, email viruses are
aware of email system functions
!
Generally target a specific type of email system
(Microsoft Outlook is most common), harvest
email addresses from various sources and may
append copies of themselves to all email sent, or
may generate email messages containing copies
of themselves as attachments
!
Email Virus
○
Infection Targets and Replication Techniques:
!
Does not fool antivirus software
"
Some old viruses (especially on MS-DOS
platform) make sure the "last modified" date of a
host file stays the same when the file is infected
by the virus
!
= cavity viruses
!
Overwrite unused areas of executable files
"
Ex. Chernobyl Virus (CIH) infects portable
executable files
"
Some viruses can infect files without increasing
their sizes or damaging the files
!
Some viruses try to avoid detection by killing the
tasks associated with antivirus software before it
can detect them (ex. Conficker)
!
In order to avoid detection, some viruses employ
different kinds of deception
○
In Microsoft Windows operating systems,
the NTFS file system is proprietary
"
Leaves antivirus software little alternative
but to send a "read" request to Windows OS
files that handle such requests
"
Some viruses trick antivirus software by
intercepting its requests to the Operating
System
"
A virus can hide by intercepting the request
to read the infected file, handling the
request itself, and returning an uninfected
version of the file to the antivirus software
"
Interception can occur by code injection of
the actual operating system files that would
handle the read request
"
Thus, an antivirus software attempting to
detect the virus will either not be given
permission to read the infected file, or the
"read" request will be served with the
uninfected version of the same file
"
Once infection occurs, any recourse to "clean"
system is unreliable
!
Security software can then be used to check
the dormant operating system files
"
Most security software relies on virus
signatures, or they employ heuristics
"
Security software may also use a database
of the file "hashes" for Windows OS files,
so the security software can identify altered
files, and request Windows installation
media to replace them with authentic
versions
"
Therefore, using file hashes to scan
for altered files would not always
guarantee finding an infection
!
In older versions of Windows, file
cryptographic hash functions of Windows
OS files stored in Windows (to allow file
integrity/authenticity to be checked) could
be overwritten so that the System File
Checker would report that altered system
files are authentic
"
The only reliable method to avoid stealth viruses
is to "reboot" from a medium that is known to be
clear
!
Read Request Intercepts:
○
*most antivirus programs try to find virus-
patterns inside ordinary programs by scaning
them for virus signatures
!
One method of signature detection evasion
is to use simple encryption to encipher
(encode) in the body of the virus, leaving
only the encryption module and a static
cryptographic key in the cleartext (which
does not change from one infection to the
next)
"
Virus consists of a small decrypting module
and an encrypted copy of the virus code
"
Virus scanner can still detect decrypting
module indirectly
"
Self-modifying code is such a rarity that is
bay be reason for virus scanners to at least
"flag" the file as suspicious
"
An old but compact way will be the use of
arthimetric operation and the use of logical
conditional
"
= cyptovirology
!
At these times, the executable will
decrypt the virus and execute its
hidden runtime, infecting the
computer and sometimes diaabling
the antivirus software
!
Some viruses will employ a means of
encryption inside an executable in which
the virus is encrypted under certain events,
such as the virus scanner being diables for
updates or the computer being rebooted
"
Encrypted Viruses
!
First technique that posed serious threat to
virus scanners
"
Infects files with an encrypted copy of
itself, which is decoded by a decryption
module, which itself is modified on each
infection
"
Therefore, a polymorphic virus can no parts
which reamin identical between infections
"
Antivirus software can detect it by
decrypting the viruses using an emulator, or
by statistical pattern analysis of the
encrypted virus body
"
To enable polymorphic code, the virus has
to have a polymorphic engine somewhere in
its encrypted body
"
Makes it more difficult for antivirus
professionals and investigators to
obtain representative sample of the
virus
!
Can employ polymorphic codes that
constrains the mutation rate
"
Polymorphic Code
!
Some viruses rewrite themselves
completely each time they are to infect new
executables
"
Viruses that utilize this technique are said to
be in metamorphic code (with a
metamorphic engine)
"
A metamorphic virus is usually large and
complex (ex. W32/Simile)
"
Metamorphic Code
!
Self-Modification
○
Stealth Techniques:
!
Software is designed with security features to
prevent unauthorized use of system resources,
many viruses must exploit and manipulate
security bugs, which are security defects in a
system or application software, to spread
themselves and infect other computers
!
Software development strategies that produce
large number of "bugs" will generally also
produce potential exploitable "holes" or
"entrances" for the virus
!
Software Bugs
○
In order to replicate itself, a virus must be
permitted to execute code and writ to memory
!
For this reason, many viruses attach themselves to
executable files that may be part of legitimate
programs
!
If a user attempts to launch an infected program,
the virus' code may be executed simultaneously
!
Social Engineering and Poor Security Practices
○
Due to Microsoft's large market share of
desktop computer users
"
Vast majority of viruses target systems running
Microsoft Windows
!
Diversity of software systems on a network limits
the destructive potential of viruses and malware
!
Many windows users are running the same
set of applications, enabling viruses to
rapidly spread among Microsoft Windows
systems by targeting the same exploits on a
large number of hosts
"
Open-source operating systems such as Linux
allow users to choose from a variety of desktop
environments, which means that malicious code
targeted any of these systems will only affect a
small subset of users
!
Window users are generally not prevented from
making changes to operating systems
!
Vulnerability of Different Operating Systems
○
Vulnerabilities and Infection Vectors:
!
Antivirus software can detect and eliminate
known viruses when the computer attempts to
download or run the executable file (which may
be distributed as email attached or on USB flash
drives)
!
Some antivirus software blocks unknown
malicious websites that attempt to install malware
!
Users must update their software regularly
to patch security vulnerabilities (holes) and
recognize the latest threats
"
Antivirus software does not change the
underlying capability of hosts to transmit viruses
!
German AV-TEST institute published evaluations
of antivirus software for Windows and Android
!
Exmaine the conent of the computer's
memory (its Random Acess Memory
aka RAM and boot sectors) and the
files stored on fixed or removeable
devices, and comparing those files
against a fatabase of known
"signatures"
!
Virus signatures are just strings of
code that are used to identify
individual viruses
!
1st: using list of virus signature definitions
"
Has ability to detect new viruses for
which antivirus security firms have
yet to define a "signature"
!
Gives rise to more false positives vs
using signatures
!
2nd: using heuristic algorithm based on
common virus behaviours
"
Two common methods:
!
Antivirus Software
○
Timely operating system updates
!
Software updates
!
Careful internet browsing
!
Installation of only trusted software
!
Other preventative Measures:
○
Virus Removal
!
Operating System Reinstallation
!
Recovery Strategies and Methods
○
Cross-site scripting -exploit websites to send
emails or messages with links to one's contacts to
propagate virus
!
Viruses and the Internet
○
Countermeasures:
!
Read: Computer Virus (Wikipedia)
Changes in engineering are making traditional safety analysis
techniques increasingly less effective
!
New, more powerful safety analysis techniques based on
systems theory
!
Systems theory can provide a powerful foundation for security
and safety
!
Safety experts -see their role as preventing losses due to
unintentional actions by benevolent actors
○
Security experts -see their role as preventing losses due
to intentional actions by malevolent actors
○
Key difference is the intent of the actor that produced
the loss of the event
○
Safety vs Security
!
Overall role of the entire socio-technical system as a
whole in achieving security and safety can be
considered, not just low-level hardware or operator
behaviour
○
More efficient use of resources and the potential for
resolving conflicts between safetyp and security early in
the development process
○
By taking a common top-down system engineering approach
to security and safety, several benefits accrue
!
Goal is to ensure the critical functions and
ultimately the services that the network and the
systems provide are maintained in the face of
disruptions
!
Goal of security is not to guard the physical network
and prevent intrusions, which is threat focuses
○
By changing to a strategic viewpoint, rather than
starting with tactics, security analysts and defenders can
proactively shape the situation by identifying and
controlling system vulnerabilities rather than defending
from a position of disadvantage by being forces to react
to continually changing threats and other environmental
disruptions
○
Applying systems theory and systems engineering to security
measures requires intially focusing on high level strategy
!
Security focuses on how defenders can close holes in
their networks that might otherwise allow adversaries to
gain access and create disruptions
○
Cybersecurity is typically framed as a battle between
intelligent adaptive adversaries and defenders
!
Tactics -prudent means to accomplist a specific action
○
*tactics is focused on physical threats, while strategy is
focused on abstract outcomes
○
Strategy -art of gaining and maintaining a continuing
advantage
!
Tactic models treat the treat as the cause of the loss
○
In tactic models, losses are conceptualized as specific events
caused by threats
!
Can then analyze their systems to determine the most
ikely route attackers may take to achieve their goal
○
Resourcees can then be allocated to erect a "defense in
depth" to prevent losses
○
Preventing losses is heavily dependent on the degree to which
security analysts can correctly identify potential attacjers
!
Result is a small and more manageable set of potential
losses stated at a high level of abstraction
○
Tactics: wuestion of how to best guard the
network against threats
!
Begins with questions about what essential services and
functions must be secured against disruptions and what
represents an unacceptable loss
○
Analysis moves from general to specific, from abstract
to concrete
○
In contrast to a tactics-based, bottom up approach, a top-
down , strategic approach starts with identifying the system
losses that are unacceptable and against which the system
must be protected
!
Provides philosophical and intellectual foundation for
systems engineering and for a new, more inclusive
model of accident causality called System-Theoretic
Accident Model and Processes (STAMP)
○
Initial error = root cause which leads to the failure
of other components until the loss occurs
!
Effective for systems with limited complexity
!
Traditional causality models used in safety attribute
accidents to an initial component failure or human error
that cascades through a set of other components
(dominoes)
○
Envisions losses as resulting from interactions
among humans, physical stem components and
the environment that leads to the violation of
safety constraints
!
Focus shifts from "preventing failures" to
"enforcing safety constraints on system
behaviour"
!
STAMP --> security and safety
○
Constraints on system behaviour are enforced by
controls in a hierarchical control structure, where each
level of the structure enforces the required constraints
on the behaviour on the components are the next lower
level
○
In systems and control theory, every controller must
contain a model of the process it is controlling
○
Performing safety (hazard) and security
(vulnerability) analysis allows a broad perspective
on potential causes for a loss
!
Providing a control action that leads to a
hazard
"
Not providing a control action that is
needed to prevent a hazard
"
Providing a control action too early or too
late out of sequence
"
Continuing a control action too long or
stopping it too soon
"
First step is to identify potentially unsafe control
actions:
!
STPA (System-Theoretic Process Analysis) is a new
hazard analysis technique based on STAMP
○
Addition of intentional actions in the generation
of the causal scenarios
!
STP-Sec is an extension to STPA to include security
analysis
○
Focusing on strategy can be achieved by adopting a new
systems-theoretic causality model recently developed to
provide a more powerful approach to engineering for safety
!
Key question: how to control vulnerabilities (rather than
avoid threats)
○
By using a causality model based on systems theory, an
integrated and more powerful approach to safety and security
is possible
!
Read: Integrated approach to safety and security based on systems
theory
Some target power, utilities and infrastructure
○
Computer viruses and trojans are designed from stealing data
to watching you through your webcam
!
30,000 new infected websites every day
○
>80% are small businesses
○
~250,000 new pieces of malware every day
!
Can now test quality of viruses
○
Technical installation guides
!
Technical support
!
Have crime packs with business intelligence dashboards
to manage distribution of their codes (Black hole)
○
Cybercriminals are professional and organized
!
Email
○
USB keys
○
Will re-direct webpage
!
Fake antivirus will open -create serious alerts
!
Provides attackers with access to data
!
In order to clean up fake viruses, need to register
the product
!
Comments on webpage
○
Ways to become infected:
!
Attacks can occur incredible quickly -virus will writ out
malicious code
!
Use secure coding practices
!
Convenience vs. privacy and security
○
Even when not using wireless connectivity, one can see the
networks one has previously connected to via wireless
scanning
!
Watch: Everyday cybercrime and what you can do about it
Internet has problems with security and privacy
!
Code says where it is from
○
Basit and Amjad --> phone number and address in
Pakistan
○
Brain.A -first virus found on PC computers (1986)
!
Used to be fairly easy to know when computer was
affected
○
Viruses are found every day at massive counts
(10,000-100,000s every day)
○
Viruses have evolved
!
Keyloggers -record everything you type
!
Can get access to passwords, financial
information, etc.
!
Once you infect a computer, someone can buy the
computer
○
Now have a whole underground market and business
ecosystem built on online crime
○
'gangs' make viruses
!
Online crime generates so much money they can invest
in themselves (hire people, watch security)
○
I.M.U. -cybercrime operation that made millions
!
Do not have capability to globally track these
○
One single malware family moves throughout the world: will
shift from one country to another
!
Encrypting code can cause downloads
!
Vast majority of online crime cases goes nowhere
!
A PLC was infected by Stuxnet
○
We are reliant on these computers working
○
PLCs -run infrastructure around us (ex. Elevators)
!
Fault-tolerance
○
Relying on technology should not mean we can't operate
without it
!
Need more global, international law enforcement work
○
More important than running firewalls or antivirus
software
○
If we don’t fight online crime, we are running a risk of losing
it all
!
Watch: Fighting viruses, defending the net
Can download product data from the web, personalize it and
have information sent to a desktop machine that will fabricate
it on the spot
!
Additive manufacturing = 3D printing
!
Builds objects layer by layer
○
Typically have been too inefficient, expensive, and
inaccessible
○
Will change and disrupt the landscape of manufacturing
○
3D printers have been around for 30 years but are just starting
to filter into the public arena
!
Data gets sent to a machine that slices data into 2D
layers
○
Deposits material layer over layer and fuses them
together through additive mechanisms
○
Depositing and then melting OR melting and depositing
○
Typically reads CAD data
!
Can abolish need for manual labor
○
Can have incredible resolution
○
Products are very intricate -more intricate than any other
manufacturing process
!
Used by product designers, architects (prototypes), engineers
!
Very little economies of scale
!
Uses less material waste
○
Products can become more efficient
!
Implants can be specific to individuals
○
Can create implants that are highly porous -less chance of
rejection
!
As detail and quality is improving, these machines are
becoming less expensive and faster
!
Processes are starting to break down barriers
○
Technology is going to cause revolution in
manufacturing
○
Most public does not know how to use data in 3D printers
!
Google SketchUp -create products from scratch
!
Machines can fabricate themselves
!
Variant production existed before but now we can
further manipulate products
○
--> next generation of customization
!
Software will keep individual within the bounds of reality
(and safety)
!
Dental fillers
○
Implants (MRI --> unique)
○
Layering cells to create body parts is in working
progress
○
Can be used for prosthetics that are specific to the individual
!
Watch: Primer on 3D printing
Frustrated to have a unique password for each system used
!
Eight characters
○
Uppercase and lowercase
○
Digit
○
Symbol
○
No more than 3 of any letter
○
Cannot be in dictionary
○
New password policy:
!
Passwords must have a lot of entropy (strength)
!
Felt more secure with new passwords
!
80% re-use password -more susceptible to
attackers
!
Most common symbol (~40%) is "!"
!
Study at university about passwords from 470 students,
faculty, and staff
○
Collected 5000 passwords with various policies
!
Only a small number of symbols were still used
!
Some did have long passwords that
were not very strong -requires
additional requirements
!
Long passwords are more secure and may
even be stronger than complex passwords
"
Not a good measure of password strength -
figured out how fast they could crack these
passwords
!
Made people create passwords (amazon mechanical
turk)
○
No actual "good" data on passwords -cannot measure entropy
!
Guess passwords that are most common (password,
iloveyou…etc)
○
Hackers will run various passwords through a hash function to
see if they match up
!
Tested different password meters
○
Password meters do work and are fairly effective
○
Most effective were ones that made you work harder
before they provided feedback (positive)
○
Password meters: do they actually work?
!
Used mechanical turk but made computer pick random
words in passphrase
○
One condition: random common dictionary words
○
Another condition: different word types (more
memorable)
○
Pronounceable passwords -not real words
○
Pronounceable passwords were better
!
People were not better at remembering these
passphrases
○
Use passphrases vs. passwords
!
Computer science students had passwords 1.8x stronger
than business passwords
○
Analyzed 25,000 real passwords
!
Monkey -pet named monkey; thye like monkey; monkey as a
nickname
!
Either make passwords easy to type/remember, something
familiar or something that makes us happy
!
Watch: What is wrong with your pa$$word?
Normally, computing technology is never completely secure
and safety-proof (even in a nuclear plant or bank account)
!
The race to make a computing system secure and safe is
an on-going concern, and it affects concepts in the
design of security systems
○
Cybercrime is never too far off when technology interacts
with the Internet
!
All of them require an entry point into your computer
system
○
Some of them can reside in the most critical part of the
system, and others may change their code from one
iteration to another
○
There are many types of computer viruses
!
It is top-down, strategic, evaluating between interacting
elements rather than ad hoc
○
It may also sacrifice lesser important components to
secure the more important ones
○
The systems approach to designing a secure computing system
has a better bet to secure a computing system
!
Key Points:
Keep an updated system after update is stabilized
○
Use an acceptable password (sufficient length, no
common words, not reused across different platforms)
○
Have some forms of security measure such as firewall
and regular virus scan
○
What are some ways you can secure your computer system?1.
Threats to manufacturing innovations
○
Creation of unauthorized objects (like firearms)
○
What are the security issues with 3D printing?2.
Laws are usually national
○
Differentiation between fair and unfair use of
intellectual property can be difficult
○
Difficultly in determining criminal responsibilities
○
Why is it hard to define and prosecute crime in the internet?3.
Questions:
Safety & Security
#$%&'()*+, -./&%)&*, 0+,1230 4521,67
Describe the historical development of cybercrime due to the
introduction of the Internet.
1.
Identify some of the techniques of viruses, the different types
and their design.
2.
Explain preventive methods of hacking, and the design of a
secure system.
3.
Describe the systems approach to build a security system, and
how it is different from the traditional approach.
4.
Learning Outcomes:
Stuxnet virus that ravaged Iran's Nataz nuclear facility was far
more dangerous then the cyberweapon that is now lodged in
the public's imagination
!
Stuxnet is known for destroying nuclear centrifuges by
causing them to spin out of control
!
Designed to secretly draw the equivalent of an electrical
blueprint of the Natanz plant to understand how the
computers control the centrifuges to enrich uranium
○
The worm (delivered through a worker's thumbdrive)
subtly increased the pressure on spinning centrifuges
while showing the control room that everything
appeared normal by replaying recordings of the plant's
protection system values during the attack
○
Intended effect was not destroying the centrifuges, but
reducing lifetime of Iran's centrifuges and making the
Iranian's fancy control systems appear beyond their
understanding
○
Previous element changed global military strategy in the 21st
century
!
Only after years of undetected infiltration did the US and
Israel unleash the second variation to attack the centrifuges
themselves and self-replicate to all sorts of computers
!
While the second Stuxnet is considered the first cyber
act of force, the new details reveal that the impact of the
first virus will be much greater
○
That’s because the initial attack provided a useful
blueprint to future attackers by highlighting the royal
road to infiltration of hard targets
○
The fist version was only detected with the knowledge of the
second
!
Pretty much every single industrial or military facility that
uses industrial control systems at some scale is dependent on
its network of contractors, many of which are very good at
narrowly defined engineering tasks, but lousy at cybersecurity
!
Most modern plants operate with a standardized
industrial control system, so if one gets control of one
industrial control system, they can infiltrate many more
○
Civilian critical infrastructure becomes a troubling potential
target
!
Read: Business Insider. Stuxnet attack on Iran's nuclear plant was
'far more dangerous' than previously thought.
When this replication succeeds, the affected areas are
then said to be infected with a computer virus
○
A computer virus is a type of malicious software program
(malware) that replicates itself when executed by modifying
other computer programs and inserting its own code
!
The vast majority of viruses target systems running
Microsoft Windows, employing a variety of
mechanisms to infect new hosts, and often using
complex anti-detection/stealth strategies to evade
antivirus software
○
Motives: profits, political messages, amusement,
demonstrate vulnerability in software or to explore
cyber security issues/ artificial life/ evolutionary
algorithms
○
Virus writers use social engineering deceptions and exploit
detailed knowledge of security vulnerabilities to initially
infect systems and spread the virus
!
In response, fee and open-source antivirus tools have
been developed and an industry of antivirus software
has cropped up
○
As of 2005, even though no currently existing antivirus
software was able to uncover all computer viruses,
computer security researchers are actively searching for
new ways to enable antivirus solutions to more
effectively detect emerging viruses before they are
widely distributed
○
Computer viruses cause billions of dollars worth of economic
damage each year due to causing system failure, wasting
computer resources, corrupting data, increasing maintenance
costs….etc.
!
The majority of active malware threats are actually
trojan horse programs or other computer worms, rather
than computer viruses
○
The term computer virus is a misnomer
○
Acquisition of hard disk space or central
processing unit (CPU) time
!
Accessing private information
!
Corrupting data
!
Displaying political or humorous messages on the
user's screen
!
Spamming their email contact
!
Logging their keystrokes
!
Rendering the computer useless
!
Viruses often perform some type of harmful activity on
infected host computers, such as:
○
The defining characteristic of viruses is that they
are self-replicating computer programs which
modify other software without user consent
!
Not all computer viruses carry a destructive "payload"
and attempt to hide themselves
○
"Malware" encompasses computer viruses along with many
other forms of malicious software (computer worms,
ransomware, spyware, adware, trojan horses, keyloggers,
rootkits, bootkits, malicious browser helper object aka BHO)
!
Design for a self-reproducing computer program
is considered the first computer virus
!
He is considered to be the theoretical "father" of
computer virology
!
First academic work on the theory of self-replicating
computer programs was done in 1949 by John von
Neuman
○
Described a fully functional virus written in
assembler programming language for a SIEMENS
4004/35 computer system
!
In 1972, Veith Risak built upon this work
○
In 1980 Jürgen Kraus postulated that computer
programs can behave in similar ways to biological
viruses
○
Gained access via ARPANET and copied
itself to the remote system where there was
a message "I'm the creeper, catch me if you
can!" displayed
"
Reaper program was created to deleted
Creeper
"
1970s: Creeper virus used ARPANET to infect
DEC PDD-10 computers running the TENEX
operating system
!
Written by a 9th grader as a practical joke
"
Virus attached itself to the Apple DOS 3.3
operating system and spread via floppy disk
(injected in a game)
"
On its 5th use, the virus would be activated,
infecting the personal computer and
displaying a short poem beginning with
"Elk Cloner: the program with a
personality"
"
1982: "Elk Cloner" was first personal computer
virus (to appear outside a computer lab)
!
No algorithm that can perfectly detect all
possible viruses
"
Theoretical compression virus -example of
a virus which was not malware but well-
intentioned (benevolent)
"
*1987: Fred Cohen termed the word "virus: with
his paper "Computer Viruses -Theory and
Experiments"
!
1984: use of virus functions to provide virtual
APL interpreter under user control -J.B. Gunn
!
Deter unauthorized copying of software
they had written
"
1986: first IMB PC virus in the "wild" = ©Brain
!
Relied on DOS interrupts
"
1992: first virus to target Microsoft Windows,
WinVir was discovered
!
1996: Boza virus targeted Windows 95
!
1997: encrypted, memory resident stealth virus
Win32.Canabanas was released -first known
virus to target Windows NT (and 3.0 and 9x
hosts)
!
1987: SCA virus targeted home computers
!
Users would be required to click on a link
to activate the virus, which would then send
an email containing user data to an
anonymous email address
"
This included IP address, email address,
contacts, website browing history, and
commonly used phrases
"
2001: Win32.5-0-1 targeted MSN Messenger and
online bulletin boards
!
2008: larger websites used part of Win32.5-0-1 to
track web users advertising-related interests
!
First examples:
○
Historical Development:
!
Every computer virus must also contain a
routine to copy itself into the program
which the search routine locates
"
*a viable virus must contain a search routine,
which locates new files or new disks which are
worthwhile targets for infection
!
Typically has a search routine, which
locates new files or new disks for
infection
!
Infection mechanism (or vector) -how the
virus spreads or propagates
"
Such as: particular date/time,
presence of another program, capacity
of the disk exceeding some limit, or a
double-click that opens a particular
file
!
Trigger (logic bomb) -the compiled version
that could be activated any time an
executable file with the virus is run that
determines the event or condition for the
malicious "payload" to be activated or
delivered
"
May be noticeable (as most of the
time the payload itself is harmful
activity) or sometimes non-
destructive but distributive, terms the
Virus hoax
!
Payload -the actual body or data that
perform the actual malicious purpose of the
virus
"
Main three parts:
!
Parts:
○
Virus program is idle but has managed to
access the target user's computer or
software, but during this stage, the virus
does not take any action
"
Virus will be activated by the "trigger"
"
Not all viruses have this stage
"
Dormant phase
!
Virus starts proagating (multiplying and
replicating)
"
Virus places a copy of itself into other
programs or into certain system areas on the
disk
"
Viruses often morph or change to
evafe detection
!
Copy may not be identical to the
propagating version
"
Each infected program will not contain a
clone of the virus, which will itself enter a
propagation phase
"
Propagation phase
!
Dormant virus moves into this phase when
it is activated
"
Can be caused by a variety of system events
(including a count of the number of times
that is copy of the virus has made copies of
itself)
"
Triggering phase
!
Actual work of the virus, where the payload
will be released
"
It can be destructive such as deleting files
on disk, crashing the system, or corrupting
files or relatively harmless such as popping
up humorous or political messages on-
screen
"
Execution phase
!
Phases:
○
Operations and Functions:
!
Resident viruses overwrite interrupt
handling code or other functions, and when
the operating system attempts to access the
target file or disk sector, the virus code
intercepts the request and redirects the
control flow to the replication module,
infecting the target
"
A memory-resident virus installs itself as part of
the operating system when executed, after which
it remains in RAM from the time the computer is
booted up to when it is shut down
!
A non-memory-resident virus when executed,
scans the disk for targets, infects them and then
exits
!
Resident vs Non-resident Viruses
○
Many common applications (Microsoft
Outlook/Word) allow macro programs to be
embedded in documents or emails, so that the
programs may be run automatically when the
document is opened
!
A macro (document) virus is a virus that is written
in a macro language, and embedded into these
documents so that when users open the file, the
virus code is executed and can infect the user's
computer
!
Macro Viruses
○
Specifically target the boot sector and/or the
Master Boot Record (MBR) of the host's hard
drive or removable storage media
!
Boot Sector Viruses
○
Intentionally uses the email system to spread
!
While virus infected files may be accidentally
send as email attachments, email viruses are
aware of email system functions
!
Generally target a specific type of email system
(Microsoft Outlook is most common), harvest
email addresses from various sources and may
append copies of themselves to all email sent, or
may generate email messages containing copies
of themselves as attachments
!
Email Virus
○
Infection Targets and Replication Techniques:
!
Does not fool antivirus software
"
Some old viruses (especially on MS-DOS
platform) make sure the "last modified" date of a
host file stays the same when the file is infected
by the virus
!
= cavity viruses
!
Overwrite unused areas of executable files
"
Ex. Chernobyl Virus (CIH) infects portable
executable files
"
Some viruses can infect files without increasing
their sizes or damaging the files
!
Some viruses try to avoid detection by killing the
tasks associated with antivirus software before it
can detect them (ex. Conficker)
!
In order to avoid detection, some viruses employ
different kinds of deception
○
In Microsoft Windows operating systems,
the NTFS file system is proprietary
"
Leaves antivirus software little alternative
but to send a "read" request to Windows OS
files that handle such requests
"
Some viruses trick antivirus software by
intercepting its requests to the Operating
System
"
A virus can hide by intercepting the request
to read the infected file, handling the
request itself, and returning an uninfected
version of the file to the antivirus software
"
Interception can occur by code injection of
the actual operating system files that would
handle the read request
"
Thus, an antivirus software attempting to
detect the virus will either not be given
permission to read the infected file, or the
"read" request will be served with the
uninfected version of the same file
"
Once infection occurs, any recourse to "clean"
system is unreliable
!
Security software can then be used to check
the dormant operating system files
"
Most security software relies on virus
signatures, or they employ heuristics
"
Security software may also use a database
of the file "hashes" for Windows OS files,
so the security software can identify altered
files, and request Windows installation
media to replace them with authentic
versions
"
Therefore, using file hashes to scan
for altered files would not always
guarantee finding an infection
!
In older versions of Windows, file
cryptographic hash functions of Windows
OS files stored in Windows (to allow file
integrity/authenticity to be checked) could
be overwritten so that the System File
Checker would report that altered system
files are authentic
"
The only reliable method to avoid stealth viruses
is to "reboot" from a medium that is known to be
clear
!
Read Request Intercepts:
○
*most antivirus programs try to find virus-
patterns inside ordinary programs by scaning
them for virus signatures
!
One method of signature detection evasion
is to use simple encryption to encipher
(encode) in the body of the virus, leaving
only the encryption module and a static
cryptographic key in the cleartext (which
does not change from one infection to the
next)
"
Virus consists of a small decrypting module
and an encrypted copy of the virus code
"
Virus scanner can still detect decrypting
module indirectly
"
Self-modifying code is such a rarity that is
bay be reason for virus scanners to at least
"flag" the file as suspicious
"
An old but compact way will be the use of
arthimetric operation and the use of logical
conditional
"
= cyptovirology
!
At these times, the executable will
decrypt the virus and execute its
hidden runtime, infecting the
computer and sometimes diaabling
the antivirus software
!
Some viruses will employ a means of
encryption inside an executable in which
the virus is encrypted under certain events,
such as the virus scanner being diables for
updates or the computer being rebooted
"
Encrypted Viruses
!
First technique that posed serious threat to
virus scanners
"
Infects files with an encrypted copy of
itself, which is decoded by a decryption
module, which itself is modified on each
infection
"
Therefore, a polymorphic virus can no parts
which reamin identical between infections
"
Antivirus software can detect it by
decrypting the viruses using an emulator, or
by statistical pattern analysis of the
encrypted virus body
"
To enable polymorphic code, the virus has
to have a polymorphic engine somewhere in
its encrypted body
"
Makes it more difficult for antivirus
professionals and investigators to
obtain representative sample of the
virus
!
Can employ polymorphic codes that
constrains the mutation rate
"
Polymorphic Code
!
Some viruses rewrite themselves
completely each time they are to infect new
executables
"
Viruses that utilize this technique are said to
be in metamorphic code (with a
metamorphic engine)
"
A metamorphic virus is usually large and
complex (ex. W32/Simile)
"
Metamorphic Code
!
Self-Modification
○
Stealth Techniques:
!
Software is designed with security features to
prevent unauthorized use of system resources,
many viruses must exploit and manipulate
security bugs, which are security defects in a
system or application software, to spread
themselves and infect other computers
!
Software development strategies that produce
large number of "bugs" will generally also
produce potential exploitable "holes" or
"entrances" for the virus
!
Software Bugs
○
In order to replicate itself, a virus must be
permitted to execute code and writ to memory
!
For this reason, many viruses attach themselves to
executable files that may be part of legitimate
programs
!
If a user attempts to launch an infected program,
the virus' code may be executed simultaneously
!
Social Engineering and Poor Security Practices
○
Due to Microsoft's large market share of
desktop computer users
"
Vast majority of viruses target systems running
Microsoft Windows
!
Diversity of software systems on a network limits
the destructive potential of viruses and malware
!
Many windows users are running the same
set of applications, enabling viruses to
rapidly spread among Microsoft Windows
systems by targeting the same exploits on a
large number of hosts
"
Open-source operating systems such as Linux
allow users to choose from a variety of desktop
environments, which means that malicious code
targeted any of these systems will only affect a
small subset of users
!
Window users are generally not prevented from
making changes to operating systems
!
Vulnerability of Different Operating Systems
○
Vulnerabilities and Infection Vectors:
!
Antivirus software can detect and eliminate
known viruses when the computer attempts to
download or run the executable file (which may
be distributed as email attached or on USB flash
drives)
!
Some antivirus software blocks unknown
malicious websites that attempt to install malware
!
Users must update their software regularly
to patch security vulnerabilities (holes) and
recognize the latest threats
"
Antivirus software does not change the
underlying capability of hosts to transmit viruses
!
German AV-TEST institute published evaluations
of antivirus software for Windows and Android
!
Exmaine the conent of the computer's
memory (its Random Acess Memory
aka RAM and boot sectors) and the
files stored on fixed or removeable
devices, and comparing those files
against a fatabase of known
"signatures"
!
Virus signatures are just strings of
code that are used to identify
individual viruses
!
1st: using list of virus signature definitions
"
Has ability to detect new viruses for
which antivirus security firms have
yet to define a "signature"
!
Gives rise to more false positives vs
using signatures
!
2nd: using heuristic algorithm based on
common virus behaviours
"
Two common methods:
!
Antivirus Software
○
Timely operating system updates
!
Software updates
!
Careful internet browsing
!
Installation of only trusted software
!
Other preventative Measures:
○
Virus Removal
!
Operating System Reinstallation
!
Recovery Strategies and Methods
○
Cross-site scripting -exploit websites to send
emails or messages with links to one's contacts to
propagate virus
!
Viruses and the Internet
○
Countermeasures:
!
Read: Computer Virus (Wikipedia)
Changes in engineering are making traditional safety analysis
techniques increasingly less effective
!
New, more powerful safety analysis techniques based on
systems theory
!
Systems theory can provide a powerful foundation for security
and safety
!
Safety experts -see their role as preventing losses due to
unintentional actions by benevolent actors
○
Security experts -see their role as preventing losses due
to intentional actions by malevolent actors
○
Key difference is the intent of the actor that produced
the loss of the event
○
Safety vs Security
!
Overall role of the entire socio-technical system as a
whole in achieving security and safety can be
considered, not just low-level hardware or operator
behaviour
○
More efficient use of resources and the potential for
resolving conflicts between safetyp and security early in
the development process
○
By taking a common top-down system engineering approach
to security and safety, several benefits accrue
!
Goal is to ensure the critical functions and
ultimately the services that the network and the
systems provide are maintained in the face of
disruptions
!
Goal of security is not to guard the physical network
and prevent intrusions, which is threat focuses
○
By changing to a strategic viewpoint, rather than
starting with tactics, security analysts and defenders can
proactively shape the situation by identifying and
controlling system vulnerabilities rather than defending
from a position of disadvantage by being forces to react
to continually changing threats and other environmental
disruptions
○
Applying systems theory and systems engineering to security
measures requires intially focusing on high level strategy
!
Security focuses on how defenders can close holes in
their networks that might otherwise allow adversaries to
gain access and create disruptions
○
Cybersecurity is typically framed as a battle between
intelligent adaptive adversaries and defenders
!
Tactics -prudent means to accomplist a specific action
○
*tactics is focused on physical threats, while strategy is
focused on abstract outcomes
○
Strategy -art of gaining and maintaining a continuing
advantage
!
Tactic models treat the treat as the cause of the loss
○
In tactic models, losses are conceptualized as specific events
caused by threats
!
Can then analyze their systems to determine the most
ikely route attackers may take to achieve their goal
○
Resourcees can then be allocated to erect a "defense in
depth" to prevent losses
○
Preventing losses is heavily dependent on the degree to which
security analysts can correctly identify potential attacjers
!
Result is a small and more manageable set of potential
losses stated at a high level of abstraction
○
Tactics: wuestion of how to best guard the
network against threats
!
Begins with questions about what essential services and
functions must be secured against disruptions and what
represents an unacceptable loss
○
Analysis moves from general to specific, from abstract
to concrete
○
In contrast to a tactics-based, bottom up approach, a top-
down , strategic approach starts with identifying the system
losses that are unacceptable and against which the system
must be protected
!
Provides philosophical and intellectual foundation for
systems engineering and for a new, more inclusive
model of accident causality called System-Theoretic
Accident Model and Processes (STAMP)
○
Initial error = root cause which leads to the failure
of other components until the loss occurs
!
Effective for systems with limited complexity
!
Traditional causality models used in safety attribute
accidents to an initial component failure or human error
that cascades through a set of other components
(dominoes)
○
Envisions losses as resulting from interactions
among humans, physical stem components and
the environment that leads to the violation of
safety constraints
!
Focus shifts from "preventing failures" to
"enforcing safety constraints on system
behaviour"
!
STAMP --> security and safety
○
Constraints on system behaviour are enforced by
controls in a hierarchical control structure, where each
level of the structure enforces the required constraints
on the behaviour on the components are the next lower
level
○
In systems and control theory, every controller must
contain a model of the process it is controlling
○
Performing safety (hazard) and security
(vulnerability) analysis allows a broad perspective
on potential causes for a loss
!
Providing a control action that leads to a
hazard
"
Not providing a control action that is
needed to prevent a hazard
"
Providing a control action too early or too
late out of sequence
"
Continuing a control action too long or
stopping it too soon
"
First step is to identify potentially unsafe control
actions:
!
STPA (System-Theoretic Process Analysis) is a new
hazard analysis technique based on STAMP
○
Addition of intentional actions in the generation
of the causal scenarios
!
STP-Sec is an extension to STPA to include security
analysis
○
Focusing on strategy can be achieved by adopting a new
systems-theoretic causality model recently developed to
provide a more powerful approach to engineering for safety
!
Key question: how to control vulnerabilities (rather than
avoid threats)
○
By using a causality model based on systems theory, an
integrated and more powerful approach to safety and security
is possible
!
Read: Integrated approach to safety and security based on systems
theory
Some target power, utilities and infrastructure
○
Computer viruses and trojans are designed from stealing data
to watching you through your webcam
!
30,000 new infected websites every day
○
>80% are small businesses
○
~250,000 new pieces of malware every day
!
Can now test quality of viruses
○
Technical installation guides
!
Technical support
!
Have crime packs with business intelligence dashboards
to manage distribution of their codes (Black hole)
○
Cybercriminals are professional and organized
!
Email
○
USB keys
○
Will re-direct webpage
!
Fake antivirus will open -create serious alerts
!
Provides attackers with access to data
!
In order to clean up fake viruses, need to register
the product
!
Comments on webpage
○
Ways to become infected:
!
Attacks can occur incredible quickly -virus will writ out
malicious code
!
Use secure coding practices
!
Convenience vs. privacy and security
○
Even when not using wireless connectivity, one can see the
networks one has previously connected to via wireless
scanning
!
Watch: Everyday cybercrime and what you can do about it
Internet has problems with security and privacy
!
Code says where it is from
○
Basit and Amjad --> phone number and address in
Pakistan
○
Brain.A -first virus found on PC computers (1986)
!
Used to be fairly easy to know when computer was
affected
○
Viruses are found every day at massive counts
(10,000-100,000s every day)
○
Viruses have evolved
!
Keyloggers -record everything you type
!
Can get access to passwords, financial
information, etc.
!
Once you infect a computer, someone can buy the
computer
○
Now have a whole underground market and business
ecosystem built on online crime
○
'gangs' make viruses
!
Online crime generates so much money they can invest
in themselves (hire people, watch security)
○
I.M.U. -cybercrime operation that made millions
!
Do not have capability to globally track these
○
One single malware family moves throughout the world: will
shift from one country to another
!
Encrypting code can cause downloads
!
Vast majority of online crime cases goes nowhere
!
A PLC was infected by Stuxnet
○
We are reliant on these computers working
○
PLCs -run infrastructure around us (ex. Elevators)
!
Fault-tolerance
○
Relying on technology should not mean we can't operate
without it
!
Need more global, international law enforcement work
○
More important than running firewalls or antivirus
software
○
If we don’t fight online crime, we are running a risk of losing
it all
!
Watch: Fighting viruses, defending the net
Can download product data from the web, personalize it and
have information sent to a desktop machine that will fabricate
it on the spot
!
Additive manufacturing = 3D printing
!
Builds objects layer by layer
○
Typically have been too inefficient, expensive, and
inaccessible
○
Will change and disrupt the landscape of manufacturing
○
3D printers have been around for 30 years but are just starting
to filter into the public arena
!
Data gets sent to a machine that slices data into 2D
layers
○
Deposits material layer over layer and fuses them
together through additive mechanisms
○
Depositing and then melting OR melting and depositing
○
Typically reads CAD data
!
Can abolish need for manual labor
○
Can have incredible resolution
○
Products are very intricate -more intricate than any other
manufacturing process
!
Used by product designers, architects (prototypes), engineers
!
Very little economies of scale
!
Uses less material waste
○
Products can become more efficient
!
Implants can be specific to individuals
○
Can create implants that are highly porous -less chance of
rejection
!
As detail and quality is improving, these machines are
becoming less expensive and faster
!
Processes are starting to break down barriers
○
Technology is going to cause revolution in
manufacturing
○
Most public does not know how to use data in 3D printers
!
Google SketchUp -create products from scratch
!
Machines can fabricate themselves
!
Variant production existed before but now we can
further manipulate products
○
--> next generation of customization
!
Software will keep individual within the bounds of reality
(and safety)
!
Dental fillers
○
Implants (MRI --> unique)
○
Layering cells to create body parts is in working
progress
○
Can be used for prosthetics that are specific to the individual
!
Watch: Primer on 3D printing
Frustrated to have a unique password for each system used
!
Eight characters
○
Uppercase and lowercase
○
Digit
○
Symbol
○
No more than 3 of any letter
○
Cannot be in dictionary
○
New password policy:
!
Passwords must have a lot of entropy (strength)
!
Felt more secure with new passwords
!
80% re-use password -more susceptible to
attackers
!
Most common symbol (~40%) is "!"
!
Study at university about passwords from 470 students,
faculty, and staff
○
Collected 5000 passwords with various policies
!
Only a small number of symbols were still used
!
Some did have long passwords that
were not very strong -requires
additional requirements
!
Long passwords are more secure and may
even be stronger than complex passwords
"
Not a good measure of password strength -
figured out how fast they could crack these
passwords
!
Made people create passwords (amazon mechanical
turk)
○
No actual "good" data on passwords -cannot measure entropy
!
Guess passwords that are most common (password,
iloveyou…etc)
○
Hackers will run various passwords through a hash function to
see if they match up
!
Tested different password meters
○
Password meters do work and are fairly effective
○
Most effective were ones that made you work harder
before they provided feedback (positive)
○
Password meters: do they actually work?
!
Used mechanical turk but made computer pick random
words in passphrase
○
One condition: random common dictionary words
○
Another condition: different word types (more
memorable)
○
Pronounceable passwords -not real words
○
Pronounceable passwords were better
!
People were not better at remembering these
passphrases
○
Use passphrases vs. passwords
!
Computer science students had passwords 1.8x stronger
than business passwords
○
Analyzed 25,000 real passwords
!
Monkey -pet named monkey; thye like monkey; monkey as a
nickname
!
Either make passwords easy to type/remember, something
familiar or something that makes us happy
!
Watch: What is wrong with your pa$$word?
Normally, computing technology is never completely secure
and safety-proof (even in a nuclear plant or bank account)
!
The race to make a computing system secure and safe is
an on-going concern, and it affects concepts in the
design of security systems
○
Cybercrime is never too far off when technology interacts
with the Internet
!
All of them require an entry point into your computer
system
○
Some of them can reside in the most critical part of the
system, and others may change their code from one
iteration to another
○
There are many types of computer viruses
!
It is top-down, strategic, evaluating between interacting
elements rather than ad hoc
○
It may also sacrifice lesser important components to
secure the more important ones
○
The systems approach to designing a secure computing system
has a better bet to secure a computing system
!
Key Points:
Keep an updated system after update is stabilized
○
Use an acceptable password (sufficient length, no
common words, not reused across different platforms)
○
Have some forms of security measure such as firewall
and regular virus scan
○
What are some ways you can secure your computer system?1.
Threats to manufacturing innovations
○
Creation of unauthorized objects (like firearms)
○
What are the security issues with 3D printing?2.
Laws are usually national
○
Differentiation between fair and unfair use of
intellectual property can be difficult
○
Difficultly in determining criminal responsibilities
○
Why is it hard to define and prosecute crime in the internet?3.
Questions:
Safety & Security
#$%&'()*+, -./&%)&*, 0+,1230 4521,67
