 Good morning everyone. Welcome to the Tuesday lectures and lab in the afternoon. Two reasons why it is a little more relaxing for me today. The first is this is not my first day. Yesterday you have seen me, you have heard one lecture and I have also gone through this process delivered one lecture. The second is that today I am going to take only the first five or ten minutes maximum. I am going to encourage you to ask any questions that you have about the lecture that I gave yesterday, anything that remained and I also hope that some of you had the chance, the opportunity and the time to look up some of the information that I gave yesterday. For instance the site at less dot arbor dot net. I hope some of you had a chance to see it, if not please do that. Similarly, the certain website, similarly the story about Vikram Buddhi. So, whenever you get the chance please do follow up because though that will help your understanding a little better. So, let me first outline the plan for today. After the first five minutes where depending on the questions that you have I will take a few of them and after that two of my students will take over. The first will be a student doing his PhD in IIT Bombay. I will introduce him in detail later. His name is Ashok Kumar. He is going to talk to you about the lab that you are doing on Wednesday afternoon, 16th afternoon it is on OSEC. So, he will tell you what is a security information and event management system and what is an example of the software that software is called OSEC. I will lead you through that and he will give you a demo which will be useful for you when you do the lab on Wednesday afternoon. Following that an M. Tech student. So, may sure we will talk to you a little bit about log analysis and lead you through some of the exercises that you will be doing on Friday afternoon. So, please do pay sufficient attention during those two talk leg dumps. The lecture will be to set the stage and the demo will be to more close to what you actually have to do in the lab. So, with that preamble let me encourage you to ask questions and please follow the normal protocol and if you have questions to ask please flag it and I will take 4 or 5 questions from yesterday's lecture or anything else that relevant to the course. Good morning. Good morning. I am Dr. Satsangi from Indore MediCabs Institute. Go ahead. After listening to you yesterday I was little afraid because in today's scenario all our activities for example, buying and selling of shares, online trading, our reservation system, everything is online and the kind of attacks you mentioned yesterday and how much careful we have to be seems rather, I am rather curious are we in the safe zone? Please answer. Thank you. Okay, lighter answer first. I am sure most of the people attending this course are married. So, is marriage a safe institution? Is it easy? Do we get by without trouble? So, like that this is not meant to scare you. This is something that we have to live with and the very reason like Professor Fartak mentioned for emphasizing this course is that India like most other countries has realized that the best solution lies in trained educated manpower. The defense can be automated. There are tools which you will learn about and there are sensible precautions and guidelines which are well known which will mitigate the attack but all the organizations in India especially those dealing with finance, business and finance, trading, market shares and even other strategic organizations like defense or BARC or ISRO government organizations will require a large number of well trained security professionals. There is nothing like having a hands on person in every organization who is in charge of the security. It is called CISO, Chief Information Security Officer. Just like every company has a CEO, Chief Executive Officer and so on, almost every company now is looking for well qualified candidates to be led by a CISO, Chief Information Security Officer. So, many of your students will find very attractive career prospects if they start picking up the trends in this area. So, this is simply an answer which says that when you have to live with something, you cannot live without it. So, just think how will you be able to do all the other things that we take for granted and since it is a fact of life we have to and it is not so bad. I mean it has been like the last 10, 15 years there have been incidents but nothing that has caused catastrophe. So, let us be optimistic rather than pessimistic. Okay, hope that answers partly but of course what you raised is a very valid concern. Let me handle some more questions and then Vaishnav Institute indoor. Yes, sir. Sir, I am open with you. I have one query. Sir, I am teaching the network security subject to the students and how much effort I will introduce but students are not getting interested. They always think like is in it but I am not able to justify them. So, what can I do for it? Okay, two answers. The first one slightly more philosophical. I think you might have heard this expression called Adikara Bedam which says that different people have different capacities, different interests and if you go to a ocean and all you have with you is a tumbler or a pot or a spoon then how much water you can bring back depends on what capacity you have. So, it is not necessary that everybody should get interested. This is true for all courses but I think you are misreading the situation that in some sense this is a topic which is among the popular ones. This is not something that I think most students will shy away from once they realize that it does not there are different aspects of the course. There are some aspects which are purely mathematical where you need strong grasp of mathematics, number theory, cryptography and so on but there are some aspects which are also very practical hands on oriented like the labs that you are doing the wire shark sniffing the traffic, analyzing the logs finding flaws and so I think there will be a mix of reactions and only with experience like I said in my original talk in the inauguration that only 25 percent of the learning can come from the teacher. So, do not worry too much and I am sure that you know like I said as the job prospects and the information reaches them how important this area is like the previous question also asked then I am sure you will find the interest picking up quite a bit. So, let us again be optimistic that is the answer I can give. The next question I will take. Good morning sir. I am Vikram Sagar from MIT Institute of Technology. My question is related to DNS yesterday's DNS session. Actually sir our IP address is for Maharashtra location it has given me an IP address for the location but location it has shown for the Orangabad Bihar. Why such ambiguity and how we can touch that DNS data? Okay I will give a top level quick answer of course details have to dig further. You see IP addresses are assigned by an authority called IANA internet addressing authority or something like that and they do not give IP addresses directly to every individual or every institution. Most institutions get it from their service provider and the service provider could be like I was talking Tata, Barthi, RTL, VSNL, MTNL. So, depending on which organization they have to maintain the domain name entries for you and in the particular case that you are telling it is possible that the service provider is maintaining the information and his location is wrongly entered or it is physically somewhere else and therefore this confusion updating these records there is a DNS authority if you look at DNS stuff some more it will tell you who is the authority field what is the address what is the phone number and so on and people have some ability to control if the information is either wrong or you want it changed then you have to talk to your service provider and get that information rectified. So, that could be the reason next question. Sir yesterday we discussed about packet filtering firewall sir based on IP address. Yeah. Yeah, in that if the IP address is spoofed then how can we overcome that? Yes. If the IP address is spoofed then the attacker can easily enter their network. So, how can we overcome that thing? So, like they say this is some of the things that you have to find out by thinking, but yes let me give the top level answer spoofing is difficult to detect within the same LAN, but not really even that there is this question of MAC address that is the ARP protocol binds the IP address to a particular Ethernet address and therefore if spoofing is happening within your own department LAN then the system administrator by looking at the ARP packets and trace from wire shark will figure out which Ethernet address is using multiple IPs and then you can using the switch either prevent it or at least detect and correct it, but if you are looking for the van then definitely the addresses that are spoofed will not go beyond the router. The first router that takes the packet from the LAN and puts it on the van will not be able to or will not if it is properly configured it will not forward packets for a wrong subnet. Therefore, within the particular subnet the address can be identified with the rest of the world like I showed you in the atlas.arbor.net they were telling you which were the fishing sites and what were the IPs that IP may not be correct in the last byte the what is called the computer address there are two parts of the IP address right the network address and the host address the host address could be spoofed, but the network address cannot be spoofed. So, to that extent I will give the answer and stop here, but it is a good question and you must this is the way to learn more keep thinking keep learning until you find out the answers. Next question. Good morning sir. Sir there is uncertainty in security analysis then how can we use bison network in cyber security analysis? How can you use what please repeat the last part? How can we use bison network in cyber security analysis? Bison network okay see this is the probability of predicting okay let me just give a top level answer again and then you have to read detail please sit down I mean we will make yourself comfortable this is called anomaly detection. So, you have to know what is a normal usage and what is an abnormal usage. So, it is not necessary that you know everything that happens today should have already happened in the past there can be a trend. Now the trend can be that based on what happened a new thing can happen today, but it is well within what is called expected that is a Bayesian expectation of that event is not very low. So, that is not an anomaly whereas, if something different happens for instance even forget network and computer security banks use it for fraud fraudulent transactions. If you have been buying groceries worth 500 rupees and using your credit card it is okay if you buy 1000 rupees you ate in a hotel it is okay, but if you suddenly buy a 1 lakh rupee diamond shop jewellery shop it is used then that event is classified as abnormal for classifying events like this and detecting anomalies some of the techniques that you have talked about from AI Bayesian networks and so on are used. So, those are slightly more advanced topics which your students can take up as seminar or term projects and so on so forth okay next question just a few more and then I will hand over to my students for the lab guidance maybe two three more. My question is regarding projects in this area which kind of projects can be done in cyber security and specifically access control and what we can do for the lab in the lab so student can learn about cyber security. So, that is you know very open ended question and the best suggestion I can give for you is that not only this particular course where we have labs you can repeat many of them but on the internet if you look for many courses by many universities there are at least 100 different offerings of a course for the undergraduate students and each of them will have their own version of the lab some will be actually very hands-on implemented implementation oriented some will be a survey of papers and tools and techniques and trying some simulation experiments and some will be more conceptual where you read and write a report. Now a combination of I would advocate hands-on I would advocate for the very first course that people only use readily available open source tools and analyze the results the only coding they have to do will be on the end part not on the first part the first part where the tool already collects gathers a lot of information should be used by them to develop their own small scripts or programs to analyze specific type of incidents. So, from the perspective of the labs that I am going to be conducting with my students tomorrow and on Friday log analysis will be a very valuable information thing to do we can give them logs of email or web and so on and ask them to find out what events happen how many attacks took place or what type of transactions and for that they write their own code if they are programmers then using either a scripting language like python or pearl or using simply Unix they can wave up scripts that will specifically do targeted analysis of logs and then they can measure their time taken improve the coding find out how to do it real time reactive and keep extending the project based on the interest. But it is a good question we will note it down and maybe later on offline send you pointers to already available good projects. Hello sir good morning sir. Good morning. How to resolve the IP conflicts? See there are two solutions one of course is to use what is called the DHCP protocol that I am assuming that you are doing this only in the land in your college in your lab or your building. So, in that case do not allow users to set their own IP use a protocol called DHCP dynamic host configuration protocol where a server will based on the request give an IP a lot an IP and then keep its validity and then keep extending that this is what wireless networks do by default where you do not configure statically the IP. But in case you are not able to set up a DHCP server then the harder way is to do what I said use an arc trace that is a tracing tool a sniffing tool which figures out and you have to then have some knowledge of what is the Ethernet address of each machine. This comes with the hardware you have to label it you have to maintain online table and from that table you can look up which Ethernet addresses and therefore which location are doing this conflicting assignment of addresses because users if you ask them to assign addresses or they have the ability to change addresses then this is an endemic problem which you have to live with. So, a little bit of discipline a little bit of easy tracking tools is the only way if you allow static user based IP configuration otherwise try DHCP. So, last question yes. Morning sir. Yes. Yeah, College 4003 Srinarana Gurugram College Kerala. Yes. Yesterday you had mentioned that email services can be blocked using IP tables. Yes. Can you specify how do we do that? Okay. So, a quick answer and of course in the lab you can try out more. If you want to connect to a somebody who is receiving email then any like any internet connection it is determined by the port number. Typically somebody who is receiving email listens on port number 25 this is called the SMTP server SMTP protocol. So, if IP tables is told to drop all packets whose destination port is 25 then anybody from inside your campus trying to connect to port number 25 of any machine outside will not be able to make the connection. So, this of course does not is not a foolproof prevention because if you are I just to give an example that if you are a student in your lab ask his friend in America to set up a mail server on port number 72 then he can connect to port number 72 of that machine. But this requires prior planning exchange of information to beat the system and that is not a normal activity. That then has to be detected by tracking the connections. IP tables and also other tools will allow you to analyze how many connections are going out of your LAN to which ports they are going to which IPs they are going and if frequently you see a connection going to port 72 then you can ask what is it? You can drop the packets, you can check the packets. So, it depends on the investigation level that you want to do. But basically it is 25 is a default port and blocking that will give you 99 percent of the mail servers will not be reachable from inside the LAN. So, I will stop here the first part of today's question and answer. We can again do it in the end if we have time.