 Finally, it's a weird time of 4.35, so we can officially start class. Alright, let's go there. I say good morning, it's 7 o'clock morning, it's nothing afternoon, it's almost night, so it's going to be nice, very weird. Good evening. It's not really, it's 4. Good afternoon everyone, welcome to CSE 545. I see a lot of familiar faces in the audience, that is cool, and I see some new faces, and I'm also really good. My apologies, I wasn't able to be here last week, I thought I was telling some people, the National Science Foundation who funds my research, they said, hey, we need you to be in D.C. for three days, and I said yes, because they found my research. You should have taught faster. It's a good lesson to learn from your career. Somebody's planning you to do something, and they ask you to be somewhere you can be that way. Cool, any questions before I start? I know there's a question about MCS front portfolios, and I'm going to answer it soon, but yes, this is an MCS portfolio class, I'll be adding instructions to the syllabus, anything else? Yes, we already decided on office hours, I need to post them. I don't know if they'll necessarily need them yet, but we'll have them and we will be available. Anything else? All right, okay. So, I hope, when you talked about it on Monday, the point of this class is security, and specifically software security. So my philosophy when viewing this class is you need to understand what makes software insecure before you can even think about building secure software. And so that's really what we're going to explore in this class, is what are all the ways essentially that software can break? How do you, either programmers have problems creating software, so their vulnerabilities in the software themselves? How can maybe the software be misconfigured or misinstalled so that there can be vulnerabilities? And so we're actually, and in my mind, just at a high level understanding about vulnerabilities is absolutely not enough. You need to actually put your theoretical knowledge to the test and actually craft and create exploits. And so, part of knowing where we are today in the state of security and computer security, we have to look back our past and try to understand, okay, how do we get to this point? Does anybody feel like we live in the age of secure systems and secure computers? No, why not? Why don't you feel that way? There's major hacks every day. Yeah, major hacks every day, a lot of times. Yahoo. Yahoo, there are multiple Yahoo's, yeah. What other hacks? OPM. OPM data breach, so the, doesn't mean I don't have an Office of Personnel Management. I believe it was last summer or the summer before. I think it was last summer, right? They weren't breached, so the Office of Personnel Management has all of the data on everybody, basically in the military and in government agencies. So if that wasn't bad enough getting all that crime information, they also have all of the information for people who've ever applied for secret or any kind of clearance. So they've gone through the process of getting clearance, so some people. So they ask a lot of personal questions and whoever hacked that OPM database now has access to all of these sensitive personal questions. I've only been on the outside, I've been interviewed for these questions and they ask me things like, is there anything that this person could be blackmailed with, like are they loyal to the United States, like all these questions, you have to put all of your, every place you've ever lived, you have to put every place you've ever worked, all of your spouse, your children, all this information is in this one database and it got hacked and leaked. So you think now somebody who really has all this information and not on random people, but on the people who are distrusting with secrets. Cool. So in order to kind of look at where we are nowadays, I think you shouldn't be too scared, is anybody so scared of security that they're not using the internet? It seems insane to think about. You'd be a lot more secure if you were, but your life would probably be measurably, probably worse, I guess we can say. Worse than a lot of things. So to understand where we are today, we can look back at the history and try to understand how we got here. And so really, kind of the birth of computer security really started with the internet and the internet, and I'm still going to capitalize on the internet and the internet probably inflated I because I believe that it corrects. So the internet is really a network of networks, as opposed to an intranet, which is an internal network. The internet is composed of networks of networks. So we each have our own network and we're talking to other organizations to try to wrap traffic. It's a capital I because it's the internet. One internet. And this is the whole idea and we're going to actually go into a lot of detail about networking and routing and how this stuff actually happens at the technical level. But for now, we can say that it's really, so we have autonomous sub-networks. So ASU, while the technology is centrally, the center of the government network, the ASU owns a network space. But when we want to access Google.com, that doesn't exist in ASU's network. We need to go outside the ASU's network to get that information from Google.com and we send us our results back. So really the internet is how all of these autonomous networks talk to each other. The beautiful thing is that it has a very open architecture. So all of the protocols are documented out in the open. So this actually is great from a student and educational perspective. You can study exactly how these things work. And in regards to security, you can actually study these things and look for vulnerabilities in them and it's easier because these specifications are open. And you have this interesting interplay. I believe it was Twitter that was taken down. I mean, Twitter is always going down every now and then, but one of the ones, don't fancy anybody using Twitter. One of the ones I remember is when another network accidentally started advertising routes for Twitter. And they said, yeah, yeah, we're Twitter. And so all Twitter's traffic went to this one network and nobody was able to actually go to Twitter. So this is part of the problem. So part of the issues with the Internet are not just technical. Technically, you have these independent entities, these independent networks, and so that creates a lot of political kinds of problems that can come up. And I think this is kind of just, you know, Internet is really important. I don't know. I don't think it's just an experiment. Try living your life with no Internet for a few days. You can probably do it for a few days, but for an extended period of time, it's really difficult. So the Internet history. So the history of the Internet. In the 70s, DARPA, the Defense Advanced Research Projects Agency, created and funded what they called the DARPA Net. And this was back, I mean, pretty long time ago, in 1969, they had four nodes on the Internet. What were those four nodes? Universities. Three of them were universities. Which ones? UCSB. UCSB was one. Stanford. What was that? Stanford was two. Utah. What was that? Utah. Utah. University of Utah? Berkeley. And Berkeley, yeah. No. Wait. Now we have to look. Okay. I'm going to put it under. This is a good guessing game. So UCLA was one. UC Santa Barbara. The Stanford Research Institute. Stanford is in there somewhere. And so why was Utah added? No. What was that? outside of California for political reasons, right? Because DARPA's funding money for this project. They didn't want to be seen as just dumping a bunch of money out of California. So they included an organization that was outside of California. Probably a similar reason for SRIs included because they're a private research institution. And so they're not in universities. They're not in the university there. And one of the coolest things I love always looking at is this is the connections. This is the four nodes of the ARPA net which eventually became the internet. And this is the systems that they were running on this network. So it's actually kind of blows my mind to think about where we are today with literally every one of your cell phones and laptops is accessing the internet and talking on the internet and accessing all these services. So I'm going to end here with these four nodes. And the original networking protocol that they used was called the network control protocol. We'll see why that's important in a second. So in the 70s, it was very much a research thing, right? So this is just something that researchers used that were trying to prove that you could have computers and machines talk to each other over these networks. In the 80s, they had some people that are familiar with networking probably know this. In 1983, they had what's called Flag Day. So basically everyone using the internet at that point decided, you know what, NCP is not very good. And to be honest, I don't know for exactly why. We're going to move to TCP and IP. And so they all decided on this day to shut down all their computers, install the updates to update the operating systems to use TCP, and then brought everything back up. Could you do this nowadays? No. No. Think about how insane of a task that would be. They could actually, I've actually seen, ah, I should bring a picture. One of the professors at UCSB had a phone book. It's about this thick. I believe it was from the 80s of the internet. So you look through there, it's IP addresses, user administrator names, and phone numbers for every machine that was on the internet. So yeah, you could actually organize this, right? You could call people and say, yeah, there's this really big problem. We need to upgrade the network. Okay, when do you want to shut down the internet? You try to do this now, it would be insane. It's a hard-muted business scenario where the world comes together and decides to upgrade the internet. So why is that important? Because you have to build up the current framework? Yes, this means we're stuck with basically TCP or IP. So if you want to propose a new alternative, you say, oh, I have a much better way of routing packets. It better be backwards compatible with one of these two protocols, or depending on what layer. But it has to be backwards compatible with these protocols, otherwise it's a mouse guard. The importance of social data is that NCP was based on network stability, so there was a centralized node. That would break this stability-based individually on the host. One host goes down. Cool, yeah, I did not know that. So yeah, one great thing we've learned collectively from the internet and networks is having a central point of failure is always a bad idea in terms of scalability, right? So yeah, NCP, using some kind of centralized routing mechanism or something, that would be definitely not a starter. So also in the 80s, the impact thing is DARPA funds the development of Berkeley Unix. And they, as part of that, their TCP IP stack kind of became the standard for open source software that was used by a lot of times. And then finally, we actually had this evolution. Instead of part of that just being researchers being made to create this, organizations started to realize that, oh man, this internet thing actually is useful, like being able to send an email from one machine to another is very nice. And so MilNet is the military network. So I guess it used to be a part of ARPANET and has since split into its own network. So they have very different ways of doing things, which I am not familiar with, not being involved with that. This is, I like this fact. The NSF created a network for supercomputers, right? Fast pushing huge amounts of bandwidth and data that had a 56 kilomit per second. This is for anyone that remembers dialect loading, that's how fast this was. But this was like super computer level of fast internet communications. Okay, in the 90s and in the 2000s is when things start to explode. You have incredibly high growth, not only in the size of data that's being sent across the internet, but also in the volume. And I love this date because my background is on web applications, so our huge center for web applications. So in 1991, Tim Berners-Lee at CERN created essentially the World Wide Web, as we know it now. So this is actually an important concept that we'll come back to later. But the World Wide Web, as we actually think of that, a lot of us has the internet, right? The internet is you open up a browser and you go to Google when you search for something. Or you use Bing when you search for something. And so, but really, there's actually, the World Wide Web is just one protocol that is used on the internet. Other famous ones, so e-mail predates the web by a significant, a significant margin. You have SSH, TalNet, and any of those other ports and services that will all look at these are all different protocols that use the internet to communicate. And so the web is kind of just one subset, but it was the subset that made it explode. It made the internet basically usable for everyone. So the internet explodes. So how, what kind of an explosion? So we went from, let's look at this, so this is number of websites from 1999, which is already eight years after the web was created. And it's about at the six million mark. So that's actually in itself. If you create something that in six years has six million people, wait, is that six years? No, eight years out of six million people using it, you're probably doing something right. And you can extend that out to, so you can look here in 1991. No, no, oh yeah, so this is 1990, Tim Bernsley had the first simple website. And you can see over time it slowly grew into the hundreds. Imagine how cool that would be, your Tim Bernsley. I create something like hundreds of people are using. And that turns into this thing that literally millions, billions of people are using. And so it's kind of interesting, a little bit of a side note about why the internet was created. So Tim Bernsley was working on basically, I don't know, I think it was the equivalent of, he was working at CERN, which is the European organization doing, they're thinking that was the LHC, right, the large Adron and Collider. And so their big problem was, hey, we have all these researchers doing research, but it's really difficult to know who's working on what and even where people are at one time. So he was like, oh, it would be great if you could have this page with the people here and you can click all of these links to take you to their page so you can see what they're working on. So that was kind of the origin of the web, yes. Any reason why the number of websites could go down by that much? Probably just a measurement study. It's actually difficult. It would be hard to kind of, unless you're Google, you probably don't know. It's mine. Yes. Yes. My question was about what are you saying as a website? Is that something that talks to HTTP on 480? What's that? I do not know. I think you, I'm pretty sure you follow this link. They have much better methodology of how they actually measure that, but yeah, that's one thing, right? Because it's something talking to HTTP or are we talking DNS that results because you have multiple hosts that are on one IP? You have the reverse, so Google has a bunch of IPs that if you ask them for Google.com they'll give you back Google.com. So yeah, I don't know exactly how they do this, but I think we can all agree it's significantly increased from one or even six million websites. So I like this visualization that kind of shows, this is a visualization you can look at the lower left here, different networks and the amount of traffic they're all sending over the place. This kind of conveying that it's a crazy, the internet is a crazy place with lots of things happening, right? And this is part of the reason why it can be so difficult to actually detect an attack, right? A lot of networks have lots of things going on. The interesting thing today I learned recently about ASU, so if you think about it from a network management standpoint every year about, let's say, a quarter of our users leave the ASU network and we get a brand new quarter of users, right? So when students graduate, we get new students coming in. So now you have this, how many students do we have? I was like about 20,000 students, new users on your network every year whereas in an organization you don't have that, right? Your turnover is probably like 5% maybe. So ASU itself has to deal with a lot of these challenges. So how do, and people who are thinking about how do we make sure that your guys' laptops are secure when you're talking to the ASU network? How do we make sure that somebody else's laptop isn't trying to infect your machine? So the internet's really big. So that's one aspect of why, so now in the internet we kind of have this global, worldwide reach and so now I wanna look at the history of hacking. So I'm gonna skip over this, it's like just over to you. So we're gonna get into this, but it can actually, a lot of this can be traced back and a lot of actually hacking culture can be traced back to in 1972. So in 1972, there's a guy named John Draper, his name, they call him Captain Runsch which is a super cool name. Part of that reason is because he found a whistle that came for free in Captain Runsch cereal produced a sound at 2,600 hertz frequency. So why is this frequency important? Dial tone? Dial tone, what about dial tone? What's a dial tone? I'll leave this off. So it would make a noise, it would have like a serious noises and that would determine where you were gonna call to, I guess? Yes, so back in the days of Landline, right? You would pick up a phone and you're ready to go, which made you off time at that time. And then you call a number, what you're actually doing is sending a signal to the router that's basically an AT&T saying, hey, I wanna call this number and then they would call something else. So it turns out that 2,600 frequency was used by AT&T to authorize long distance calls. So I also know it may be impossible to believe back in the day you couldn't call any number at any time for free. You could only call local numbers for free and you had to pay per minute to call somebody in a different area of code. And the way that they would do that is essentially the phone lines would admit this frequency kind of over the voice channels to tell people that this was an authorized long distance call. And so this, along with other things, led to the birth of what's called phone freaking. And the idea there was let's make phone calls for free because we can essentially trick the phone network into thinking that we were making this call for free. So part of that was that Soundnet, Soundnet 2,600 would do a certain thing and let you in. And so he discovered this and then he built a blue box. And what this blue box did was basically had different buttons on it that would allow you to have different dial tones and different tones. So then the information would proliferate about, oh, and you could do crazy things like found your call across the world before connecting to somewhere else all using these little devices. His story is actually kind of set. He was seven to five years probation for phone fraud. And the question though is why do we care? Why do we care about Captain Crunch? Besides the name. That was a very cool name. He's way above. Yeah, so he basically was taking advantage of a vulnerability in the phone network. That vulnerability being, hey, maybe the switches and servers or whatever, well, maybe the switches shouldn't be talking to people in the same line that you're sending voice data off. That voice data should always send voice data. You shouldn't ever interpret that as a man's like make this call for free. And so that really kicked it off. There's actually, there's a whole, if you want to, I bet the Wikipedia, I haven't read it, but I've read other articles. The Wikipedia article for this is probably really good. There's a whole culture about phone freaking. They found out that some people could actually do the frequencies just by whistling. And so they would be like natural horn phone freezers. They actually would like explore the network. So they were like, you know, and they're on the outside. So they had to reverse engineer a lot of how the phone networks were working. And so they do that. They basically compile all this knowledge about how the phone network sometimes more than the 18 and team employees themselves. And so yeah, it's a very interesting mix of kind of this. And this is really one of the starts of hacking culture is this phone freaking. So moving on a little bit, more up to date and more kind of in the vein of what security we're talking about. So in 1973, we had Bob Metcalf wrote an RFC. So what's an RFC? Okay, I'll go. Is it a mobile one? A mobile one? Yes. A request for comment. A request for comment. What is it used for? What else? Standard. Standard. Standard. Yeah. So this is kind of the way that if you want to standardize something on the internet, the typical way, there's a whole process now, if you submit an RFC. So all of the DNS is defined through this email, you know, SMTP, the HTTP protocols are all defined on their IP, TCP, everything's in an RFC. And so I really like this quote from this RFC that he wrote. So the title may give you a hint that it's not actually a protocol. It's called the stockings were hung by the chimney with care. And he states, the ARPANET computer network is susceptible to security violations for at least three following reasons. One, individual sites used to physical limitations on machine access have not yet taken sufficient precautions toward securing their systems against unauthorized mode use. For example, many people still use their passwords which are easy to guess. Their first names, their initials, their host names still backwards. A string of characters are easy to type in sequence. Why is that string of characters easy to type in sequence? At the bottom row of the 40 keyboard. Is this still a problem? Yeah. Yes. It's been a problem since 1973. It's still a problem in 2017. Okay. Some more things. The TIP allows access to the ARPANET in a much wider audience than is thought or intended. TIP phone numbers are posted like those for placing on the walls of phone booths and men's restrooms. Huh. Sorry. The TIP required no user identification before giving service. Thus, many people including those who used to spend their time ripping off Mavel, who was he talking about there? The phone freezers. He's talking about the phone freezers and Captain Crunch. Get access to our stockings in the most anonymous way. So the TIP was how you could get access to these systems remotely. So it allowed you to kind of call into these systems. And so they're saying like nobody's securing these numbers. And once they call this number, they have access to our systems. Right. So there's no way to authenticate who's actually calling this number. This is an interesting one. There's lingering affection for the challenge of breaking someone's system. This affection lingers despite the fact that everyone knows that it's easier to break systems. Even easier to crash them. Is that true? Let's kind of figure it out. So is there still a lingering affection for the challenge of breaking someone's system? Yes. Why? What is it about that makes it cool? Will you accomplish something that no one else can do? Is it actually the act of breaking into their computers? I don't know. For me that really is more of like a criminal motive. You talk about somebody else's computer. Fundamentally I look at it in two ways. A, so kind of like forcing a system to do something that it wasn't designed to do. Right. And that requires intense knowledge of that system. Right. And that's kind of how I see those phone freakers relating. Right. They had to learn knowledge about how this system works in the phone system so that they could attempt to make, you know, they could do what they want with the system that AT&T didn't want them to do it. Similarly with security vulnerabilities. Right. For me finding vulnerability and exploiting vulnerability proves that you have a very deep knowledge of that system and how it works. So I don't think that ever goes away. That's part of why we study this in an academic setting. Right. We need to study how to break things not because we want to be criminals and we're going to talk about ethics in the next section. But because we want that knowledge we want that deep understanding of the system so, so complete that we can make it do whatever we want. It's a very powerful feeling. Is it easy to break systems and easy to crash them? Yeah. They could be harder to break the system because it would require actually like a better knowledge of the system like you said and more overall deeper understanding of that system versus crashing the system. I mean I'm not saying everyone can crash or anyone can crash the system but you don't have to have much to do with it. You can crash the system without even wanting to do it. Yeah. So that's a good point. So I think in general you could say that yes breaking systems is more difficult than crashing systems generally. That's maybe a general. Yeah. I think there might be more redundancy now. So crashing a system is probably more difficult than exploiting it. And do you think, so this was written in 1973. So he says everyone knows that it's easier to break systems. That it's easy to break systems. So in 1973 who was using the ARPANET? Researchers. Researchers and like people whose lives are computers right. These are the experts and the experts. So yeah, they all know but is that true statement making true nowadays? I don't think. And so defenses have gotten better right over time. So I'd say you're talking about how easy was it to break into 1973 software versus 2017. You could make a very solid case that's more difficult for 2017 for certain cases. There's still some things that are very easy, especially on the web. Especially if you're not trying to target a certain one, if you're just trying to exploit somebody on the internet, right? The internet is very large, odds are you will be able to exploit something. Okay. Let's see what else he does. So he says all of this would be quite humorous and caused for raucous. We've got five minutes over. Raucous. I'm linking an elbow in that thing. One for the fact that in recent weeks at least two major serving hosts were crashed under suspicious circumstances by people who knew what they were risking. On yet a third system, the system wheel passwords, back in the day, wheel was the same as root. The system root password or administrator passwords and so on and so forth was compromised by two high school students in Los Angeles no less. We suspect that the number of dangerous security violations is larger than any of us know is growing. You are advised not to sit in the hope that St. Nicholas will soon be here. So what is he trying to achieve with this? Awareness. He's trying to wake people up and say, look, you can't, you have to start thinking that people are going to try to attack their systems, right? Back in the day, he saw that dagger. There were four notes on the ARPANET. All four people knew each other, right? It's not like they didn't know there was some stranger on the internet, right? It was the ARPANET at the time. And so he's trying to tell the community, hey, wake up. We've got to do something about this. So this was kind of the first early warnings in the process that, hey, we should start thinking about security. If we don't think about it, it's going to cause problems, which is what we're going to do. Okay. This is actually all of these are my favorites. That's why I'm talking about them. So I shouldn't say which one is my favorite. This one I really like, also because there's a book written about it that you can read about on the link in the end. So the German Hacker Incident, it sounds like a really cool movie. So Cliff Stoll was a system administrator at Lawrence Berkeley Lab, but the more work they did, we'll be out, anybody know? I think it's a little bit more work than that. Okay. That's what it was. In August 1986, so he was actually a physics student. So he was not a computer scientist. His background was not. There wasn't even really a concept or area of security really back then. So he was not a security person. He was just a grad student who got tasked with maintaining the physics department's server. So on his first day, he noticed a 75 cent accounting discrepancy for CPU time. So back on these big systems, right? You buy a big computing system, you have multiple user accounts, and you have to pay for time that you were using there. So it's actually kind of funny, right? Because it used to be, that's an insane way to think about computing because you just buy your own desktop and that'd be it. You wouldn't pay anybody for it. But now we've got cloud things like Amazon where now we've gone back to paying for the hour for compute time. So that's an interesting development here. So 75 cents. So can you honestly say that if you started your job and you noticed a 75 cent difference that you would investigate the cause of that? I would probably not. I would start off. I would probably not. So 75 cents. Especially, can somebody do inflation calculator from 86 to now and 75 cents? Like $5 now? So, and he found out when he started digging into this that an account had been created with no billing address. So the billing software couldn't build that any money. And this should start raising red flags, right? So maybe you know or don't notice the 75 cent discrepancy. Maybe you put it off until later if you're busy. Once you find out there's an account created with no billing address, then you start digging. So he started digging and he found the presence of an intruder. So he found that somebody had broken into their system and had created this account and had given them remote access and they had a backdoor access. So he freaked out and he basically called the FBI and several other agencies to try to track this person. And basically the account essentially set up a tap on the network. So he set up this crazy system where he got the page, a text you can say if you go on with that. He got a page whenever he, whenever the attacker logged on. So he could run down right down in his bike and like start the tap software. So it would do printouts of everything that person was typing. And so using this he monitored the intruder and was able to find out who they were and how they gained access. So it turns out it was a configuration problem in Emacs which is an editor that was installed on these systems. And Emacs as people like to claim will do everything. So it can work as a mail or so it can use the move mail program to move users email where they're stored in our school to their home directory. And the administrators there had configured it saying oh move mail should have root. Administrator privilege it should be able to do everything. It's got to move mail. Well it turns out that this opens up a security hole which now move mail allowed anyone in the system to move files to any directory. So anybody can move any files anywhere they want. So he exploited this bug to basically substitute his own copy of the at run program which is ran every, I can't remember how much but every we'll say hour. And so after so what that program did is after it was executed it would copy the old at run program back that's covering traces and then would create the fake user account. So using that he was able to get administrative access to the server. He created those fake accounts with no billing addresses. He created a backdoor program and this is where it takes an interesting turn. He used this system to connect to military systems on the military now. So this was back when they ARPANET and the military net were on the same system that was doing a lot of government research. So they were working with military organizations. And his research found so remember once so you gotta think the attacker's coming and connects to his system and so he can see every command that's being sent and then you can see it connect to that remote system. So that remote system sees a connection from his system but Clutch can still see all the traffic that's being sent to that other system. So he was able to see that he would try to probe other remote military systems. He wanted to break into them because a lot of times they'd use the default password. They would and then he would search for things such as SDI, Stealth, SAC, Nuclear, NORAD on the systems and would cycle down all that data. And so this is the kind of point where he called the FBI. He was like in over his head. So with the help of the FBI and the German he was able to trace the intruder to Hanover and finally in 1989 they actually arrested somebody who was working for the Eastern Bloc trying to get information about the U.S. And he was sent into a year and eight months and I have no idea how much money that is now it's impossible to tell. I mean it's not possible. And so they found similar attackers that were involved in this break in. So this is kind of you can find it here like this physics student who like stumbles across this international hacking, espionage campaign. Like that's pretty cool. It kind of is straight out of a movie. So he wrote a book called The Cuckoo's Egg. It's his own account so he wrote it. It's his own account on the incident. So you can hear him describe this first hand. I highly recommend this. It's a really even if you already know the ending because I just love it. It's still a really good book so I highly recommend this. So this is kind of a good first example of really kind of getting to a level of nation state hacking. Right, where now we have big government agencies and that's one of the things I put noted in his book was this person wasn't doing random things. They were methodically going through server by server and then trying all but a lot of exploits and then they didn't even ask as they moved on and they would keep creating a concept. What's the east block? What's the what? East block. Oh, East Germany, West Germany they used to be two different countries. Yeah. They used to be two different countries. So East block is East Germany? Yes, East Germany. Sorry, we're giving a lot of history about it. Okay, so then the next really notable incident was the internet the, it's called the internet worm because it's the first one so you have to call it that if there are many other things other things. It was developed by a student who had a very cool hacker alice at RTM Robert Tappan Morris he released it and so what is a worm? What is a worm? It's a piece of software it takes advantage of vulnerability so it will scan the network find other computers that are vulnerable to the same vulnerability exploit that vulnerability copy itself over to that machine and run on that machine to then scan all the machines that that one can find to copy itself so in this way it spreads throughout the network basically like an infection like a viral infection so there's a lot of debate now we're going to about did he deliberately do this was it accidental was he just developing this for fun and to kind of escape him and got out of hand and so it turns out what happened was the mistake in the replication procedure led to basically unexpected proliferation the idea would be when you scan other systems if you've already exploited that system and you've taken it over why would you want to retake it over unfortunately he had a bug in his code and he was checking for that and so machines would continually get infected with this worm so I don't know this isn't your laptop service nowadays we have 64 cores and 32 gigs of RAM right we have very limited CPU power very limited memory and you're trying to run out 10s or 15 or 20 of these worm programs would just bring the computer to a grinding halt and nothing could happen and so how they fixed it because what happened is they tried to patch it and then they bring it back up they would just get exploited right away and things were and things were getting crazy like putting in and using computers to talk about this problem right they had to actually physically call people and so they basically were like shut everything down everyone patched everything and then we'll bring everything back up and it will finally stop and so yeah so damages were estimated to be on the order dollars so if we turn the internet off for damages would be several hundred thousand dollars can anybody even come up with a reasonable estimate I don't think so I don't think you can be high enough I mean maybe if you start going into a couple trillion that would be outrageous but a billion I think is not unreasonable in the amount of productivity loss and business loss was sentenced to three years probation a ten thousand dollar fine and four hundred hours of community service Jesus what do you think is this reasonable not a lawyer not a lawyer not a lawyer a person though you can get a battle with us yeah back then it was probably reasonable in the in the sense that they didn't really realize how much more dangerous this could be analogies for example so because they had a solution through it so they couldn't think like out of twenty thirty years ahead and think about how this could affect us nowadays if it weren't to be solved more yeah so it's it's kind of you know he gets a little bit of deluxe he's the first right you know you don't you can always claim you don't really know what's going to happen when you do this because you're the first person that's ever done it the second person to where I'd work should know better right so yeah it's an interesting I can see both sides one of the important things that was created what they realized is you know once you as an administrator found yourself under attack and all your machines are down what do you do there's nobody to talk to there's nobody to you can maybe talk to other administrators but what they created was an organization called SERPs which is the computer emergency response team who their job is basically they will disclose vulnerabilities they will raise alerts when there are problems in the internet you can go to them if you find the problem they will help you fix it and notify effective parties so they've kind of become the place for talking about so that now basically as a community we have this place that we can go to to talk about these things digging into the worm a little bit because it's very cool from a technical standpoint so as we talked about worm self-replicating program it worked only on some three systems and max computers running BSD Unix the worm had two parts that's really cool it had a main program and a bootstrap program so first it would get and actually so when we started digging into this we were like huh this was pretty sophisticated like it wasn't just like a complete accident or just coding something for fun use multiple vulnerabilities to exploit these systems so there was an exploit in the finger daemon so this before poking there was a finger service which basically would give you information about a user so if you want to know about user adamd at ASU.com you can say finger adamd at ASU.com it would return the information that I had publicly about who I was so there's about their overflow there they're it's pretty classic we'll get into this later but very classic just get all the line that's sent from the finger from the above connection and then cause an overflow there's a bug in send bail which was a mail send bail it you know had a debug option which sounds great if you're trying to administer send bail anybody administer a send bail system yeah is it fun no it's portable send bail is configured it's awful I'm sure it wasn't any different back in 88 and so they had a debug option so if you're remote and you're trying to interact with the system you can say oh debug this and specify the exact commands or not well there's no authentication there nobody knows who you are so you can just connect to that and say hey run this command and it would execute this command once it so it had two vulnerabilities once it exploited one of these vulnerabilities it translated it bootstrap program which was 99 lines of C which is actually kind of crazy to think about but this is how you can get really a cross platform warm right instead of sending over a binary he sent over a C program compiled that program ran it and then that would cause the main program to be transferred over depending on which purge it was which is pretty sophisticated I mean even doing this on your own is kind of tricky like nowadays so the main program right so the work needs to spread so that was the infection vector and now it has to spread so the first part I gathered information about all the network interfaces that were currently in use and all the current open connections so what computers what IDs are we already connected to and then it would try to just use the finger vulnerability the send mail vulnerability or what's RSH? remote shell remote shell so it's the precursor to SSH so this has is exactly like SSH but without the S what's the first S in SSH secure desk this was sending everything in the clear and often times what people had back then is they knew like we went out the timing password was suck right it gets in the way of doing things so they would send a relationship between machines like oh if I'm an admin on this machine if I RSH into this other machine I can use RSH as admin because I'm the admin here I need to be the admin over here and so the worm took advantage of these trust relationships so it would try to just RSH into these servers as you would get in it would also basically perform reconnaissance on the system it was on to try to find out who were these trusted hosts so it would read basically the ETC host file the R host file which is a list of remote hosts a forward file which is how your email gets forwarded from one machine to the other and then it would try to RSH into those things it would also perform a password cracking attack so it would try to crack the passwords of users the more you learn about this the more you know this is pretty sophisticated stuff so the problem then was on each successful break-in the bootstrap was transferred then a new version of the worm would be executed and then it would keep spreading this was even a problem even for machines that weren't necessarily vulnerable even if you have a machine that's not vulnerable if everybody else's machine is vulnerable and has 10 copies of this worm they're trying to connect to every machine on the network it's just going to bring your machine down too so that's why they made this coordinated effort any questions on this? I really like this one this one's a cool one so there's another link here for more information about the internet worm and the worm it's two really interesting stuff and a lot of this stuff is still relevant like password cracking just like we saw in the RFC users choose terrible passwords it seems to be a fundamental fact of computing and security okay next up on our list Kevin Mitnick so anybody know this name? some people? so he was actually one of the first well one of the most well-known hackers so in 1982 he had a one-year probation for breaking into Pacific Bell's offices presumably he was trying to figure out some stuff about how their systems worked he then enrolled at USC and used campus machines to perform illegal activities he had six months in juvenile prison in Stockton, California in 1987 he breaks into SEO which we'll look at he then enrolled in another institution misused campus system some of those expelled again in 1988 he broke into DEC and stole software he was caught by the FBI and he served a one-year sentence in Mopop in 1992 he violated probation and went into hiking in 1994 they issued a $1 million warrant for Mitnick's arrest this is where you guys can't quit in 1994 he was accused of packing into the SD's the San Diego Supercomputing Center so yeah this is a pretty long list of crimes although if he was really good would he get caught so much? I don't know but anyways so the attack against the SDSC is actually really interesting it was a super sophisticated TTP spoofing attack and we have it we will get into that it basically established its exploited trust between two systems so there was an X terminal which was a system that did not have a disk and there was a server that provided the boot image to that disk so there was the X server allowed unauthenticated logins coming from the server so if you pretended so if you could break into the server you could talk to this X server and the X terminal would get access so the first thing he did was say okay I want to try to impersonate the server so I want to take it down so he sent a bunch of packets and caused a denial of service caused a crash so the server can't respond then you impersonate server you pretend to be the server the X terminal thinks you're the server and you can basically dis-command RSH is in the S terminal basically this line adds allow everyone to RSH into this machine so this is the .marhose file and you can find out a lot more information about here into this attack there's actually a lot of controversy here around was it actually him or was it somebody else I don't know you can read this and try to make up your mind the story continues in 1995 the FBI arrested him in North Carolina finally so it was about three years on the run so that's actually very impressive 94 out of a year so then in January 2000 he was released from prison after five years which is a lot longer than RTM got and he had he was on probation which forbid him from using the internet or from sending an email yeah I don't know if they still do that now it would be difficult you'd have to have somebody else do it for you what would you do how would you talk to people so finally in January 2013 he finally surfed the internet after eight years so he was a big part about hacking culture so back around this time period especially like 90s and 2000s when people would take over a website and put up pages that would say like Free Kevin Middick and all this stuff like he kind of became an underground hacking cultural icon now we get to kind of more recent stuff so this is Albert Gonzalez part of the goal of this class the next session will be to teach you not to end up like Albert Gonzalez so he and his hacking crew used SQL injection vulnerabilities to steal credit cards they were behind the PJ Maxx and there was another big Heartland payment systems which was actually a credit card processor so they were able to get right there and steal all their credit cards in total they stole 170 million credit cards that's the estimate and so what do you do with all those credit cards so who do you buy stolen credit cards often don't answer that what do you do with the credit card probably try to liquidate it into cash so then buy stuff then return it I don't know sell it on the darknet so what are they doing they want illegal stuff they want illegal drugs so they buy illegal credit cards too but how do you so you're going to give me your answer if I give you a stolen credit card that plan was stolen this morning was it? the front department called me up they said were you trying to buy $14,000 and women's shoes and I was like no I don't want any more so yeah I found out they stole it somehow and I just had no idea yeah so how come this processor realizes you may not know and you have to refine it as long as I give you my money back somebody will join a lot of shoes so what they'll do is just with a credit card number what they'll do is they have facilities to make fake credit cards they'll take the card if they're on that card if they're really good they'll even put your name on there usually what will happen is the person who steals the credit card usually doesn't want to return it into cash so the underground market is turning to this underground service based market so you have people who steal credit cards and then they sell it to other people and they really distract value from them so they will hire people or have their friends like they'll create the cards and they'll try to go to Walmart or go buy a lot of women's shoes somewhere maybe it's too much they're gonna get a thousand women okay oh and one of my previous classes I was told that those card numbers go for like less than a dollar yes they're very you have no idea the use and so you have the problem of limits have you know how many limits you have yeah so they can especially if you're just doing like a if you're unknown then people won't know how good your cards are and so you have to sell them for less I don't know I have a feeling that if you kind of start knowing people and you get a reputation maybe you can grab the price where people know your card they're actually involved in it but yeah they're actually not worth that much individually and so this is right, they broke into David Buster's TJ Maxx Heartland Payment Systems and as a result for his efforts in March 2015 he was sentenced to 20 years in federal prison yes he was hanging through I actually highly recommend there is a Rolling Stone article about them all the fast times and hard fall of the Green Hat game so not only were they acting they're also doing a lot of drums and partying so I'm not saying I don't know how you do those two things so yeah they spent their money on a lavish rock and roll lifestyle which is kind of crazy so don't be like him 20 years federal prison you always take profit some other stories that I like because they take different tax in 1999-2000 so there's a guy who used to work in Queensland Australia for their sewage division and he attacked the sewage company because he got let go but apparently he still has administrative credentials and so he caused raw sewage to Australia and so hundreds of thousands of liters of raw sewage flowed out into the water literally like marine life died creeks turned black obviously a horrible smell and so so ultimately he was convicted of 30 counts of hacking and sentenced to two years in prison right so this is kind of a good example I really like this example for two reasons A, because of the physical effects of this hack so you know even just breaking the system and stealing things he caused real world damage from his actions which especially now is really about power systems or networks even if they're maybe not accessible from the internet so what did somebody do to a power system if they wanted to in addition the other thing that's interesting is he was an insider he was an administrator of the system and then they fired him and so he used his so he should have been cut off all of his access to everything and so it caused him a lot of harm in the environment so there's a lot, the web is kind of web defasements have kind of gone down in the years, it used to be a really big thing to prove you were cool in the hacking crew you could bring to your website and put up an HTML page that was like we are the hackers or you could say we are the hackers there was in the early 2000s there was a wave of worms that was just insane so these have names like Ninda, Code Red, Slammer some of these we had a slammer or a blaster they just spread incredibly fast they would take advantage of vulnerabilities and microputually window systems every computer on the internet was running windows and so they would exploit vast numbers of machines in a small amount of time and Blasters author was 18 years old which kind of goes to the fact that anybody can do this and the last thing to end on is more recent stories so not only so but also pretty recent we have the OPM breach the very interesting thing is the report from DHS and FBI that was released in December 2009 called Grizzly's Seat Russian Coalition Cyber Activity the report is very light on details but what the report basically says is that I have the words here it describes cyber operations attributed to Russian civilians military intelligence services to compromise and exploit networks and endpoints associated with the US election as well as arranging the US government political and private sector entities maybe you heard this probably a lot more interesting thing here the detail of two spear phishing attacks so what's a spear phishing what's a phishing attack is that we're going to send a fake email out and try to lure you and give your credentials to update someone I would spoof an email to you or send you an email and say hey this is Google you need to change your password and you can click on that link but instead of going to Google you go to my web page that looks exactly like the Google change password page or whatever so that's like bronze phishing I'm going to send it out what's spear phishing so they're targeting like a high profile individual or an individual so targeting so now you can actually target the email that you're sending instead of a generic hey you don't have your email they would send you hey Adam you need to change your password and so it looks much more legitimate to target it towards services that you're using it's super interesting so there were two ones one in the summer of 2015 they sent malicious link so a link to a phishing website to a thousand recipients including legitimate domains so that's actually an interesting thing here I took this from the report I think they're wording here I think what they mean to say is these links were the emails were sent from legitimate domains they were sent to were also legitimate domains so basically they exploited what were known good servers in order to perpetuate this spear phishing attack so instead of seeing an email from some random person that you've never seen the email is actually coming from a trusted domain it was a pool stack it was a what? a spear phishing attack a pool stack yes very sophisticated and learned then the most recent one and so the summer of 2016 they sent targeted spear phishing attacks tricking recipients into changing their passwords so I have some screen shots for this so it was apparently an email that was sent so it says someone just use your password and try to log into your google account here are the details google stopped the site on this time you should change your password immediately so there's a change password button when you click on that it's not the google thing it's a bitly link and if you go to this bitly link you can see so where's the link? oh they don't show it here that's good you can see it's going to my account so one thing is it's not hgps that should be actually it will be a first big indicator you shouldn't put your password into something that's not hgps so hgpmyaccount.google.com dash securitysettingpage.tk and the other cool thing here is the security sign on options password equals this fnn image which one, one of these I thought I would be able to tell by looking at it I think these are just base 64 encoded one of these is the actual person's name and email so they know which page to generate when you go do it when you go do it you can see the exact page you can see it looks just like google it has the person's picture and email address and so all it takes is you putting your password into here for these bad actors to steal it so it's kind of an interesting question if you saw something look like this would you call, would you put your password in we all like to say we would not but evidence says it otherwise okay any questions on this this is a legit example this is a the podesta email the axe okay cool how's that oh alright cool now we can knock this out we did all that we talked about sad people who ended up in jail because they used their knowledge of confusing systems to perpetuate fraud and to commit crimes we can talk about ethics okay ethics is very broad we're not going to talk about we're going to talk about doing what's right what time is it? 55 alright cool okay so avoiding jail so this section is very critical so I need to make sure that some people generally have a problem with some of the techniques that I teach some people don't want people to be taught about offensive security techniques or software vulnerabilities or exploitations I firmly believe that this is incredibly important things to learn but you have to commit but the way I can teach this is by getting you all on board with the idea ethically so avoiding jail we all want to avoid jail does anyone want to go to jail? I'm not decent amount of foreign students in here you don't want to do that it's pretty easy don't do anything illegal okay we're done so in a hacking contest what does this mean so what do you think this means in the context of hacking and security is an exploit not exploiting yes others computers this is the key so you can never ever hack into a system that you do not own or have permission right and does that mean permission for me? no no do not attempt to find vulnerabilities even attempting to find vulnerabilities in a system that you do not own or you do not have permission is absolutely not permitted this is something I do take very seriously because I can get in trouble with this the university can get in trouble with this you can get in trouble I don't want to get in trouble I don't want to be in jail the solution is you can do anything you want to your own machines that you own that is the beautiful part you can't try to break into somebody else's machine because you downloaded and that exploit can do that so here's how to practice without going to jail download the source code onto your own server or a system that you control run the thing locally and try to find vulnerabilities in it that's perfectly 100% the other cool way try to find vulnerabilities in a system that has a bug bounty program so there are I think I have links in here there's lots of bug bounty programs Facebook has them lots of others that I can't figure it out get in the hub I think has them where they say hey if you follow these rules we give you permission to try to find vulnerabilities in our website then as long as you follow those rules you're totally good the third way that's really cool is being academic so we can sometimes as part of our research we need to measure things like how many websites out there are vulnerable to cross-site scrutiny or SQL injection or we just did a recent project on email head of injection vulnerabilities so we developed a system that actually went out and exploited these vulnerabilities but we made sure to do it in a way that did not cause any harm and that was ethically consistent so this is part of my job is to do this so one way to do that is to work with me on research so you can do that stuff bug bounty programs lots of things lots of sites do this you can actually earn real dollars or fame from this you have to make sure that they give you permission and you must understand what's in scope so yeah these are just Google, Facebook, AT&T Coinbase, Etsy, GitHub, Baroku Microsoft, PayPal, the list goes on and on bugcrab.com has a nice list of a bunch of bug bounty programs so why is it important to follow the rules so there is an incident at Facebook where a security researcher found a vulnerability on Facebook that allowed you to post on anyone's wall without being a friend of them it's a pretty serious vulnerability unfortunately this researcher tried to communicate with the Facebook security team to let them know about this vulnerability and there was an English barrier there the person, I think they were Turkish or something they weren't a native English speaker they really weren't explaining themselves properly plus the bug bounty people have like thousands of these reports a lot of them are garbage to go through so the communication broke down and so the researcher then decided well I'll just post on Mark Zuckerberg's wall which he did it got fixed in like an hour or something unfortunately so even though he found a vulnerability that would have awarded him money that monetary value Facebook was willing to pay for that Facebook said that hey, you didn't follow the policy Facebook actually has a super cool system where you can just sign up to be a security tester and you get your own version of Facebook you can create accounts and do whatever you want on there so you have a sandbox you can play in and they specifically say in their terms do not do anything on the real Facebook website but this person violated those terms by doing this and thus wasn't eligible for the money so kind of look at what it looks like you can see here this guy says Dear Mark Zuckerberg first started to break the privacy of most of your wall I had no other choice to make up after all the words I would have faith with you he probably says a little bit more so he's like reporting it on Zuckerberg's wall so this leads us to an interesting aspect of ethics here so if you find a vulnerability in any software what is your vulnerability so put yourself in the shoes of a security researcher I'm going to give you the tools and knowledge to do this you find a vulnerability in Chrome what do you do what was it report it to Google what else do you have any other options make it public sell it to someone that can use it sell it to someone that was the third option yeah so there's different ways of thinking about this so the tell the world is full disclosure so what's the benefit of telling the world it gets you get credit that's a good one it gets fixed right people will take this seriously why will it get fixed because once everybody knows the bad guy knows too and they will soon very shortly develop exploits for it what's the downside more breaking what was that more breaking yeah you could be I'm not making a judgment call on any of these I think I lean more towards other types of disclosure but I know some people do believe very strongly full disclosure you are putting people at risk bad guys may take that information that you gain and cause harm to that on the flip side let's say you tell Google and they tell you to go away or they don't work with you then sometimes that's your only responsibility that is the only avenue available to you to get things fixed what I'm more in favor of is responsible so responsible disclosure is a very loaded term it means that if you choose anything else it's irresponsible I like to think that as working with the company or group so when you find something you try to work with the company if you can't then I'm totally on board with full disclosure so that's kind of my personal ethics around this situation you can kind of develop your own way the other one is you can sell the information to the black and grey market so the black market would be selling it to a government that you know is going to be using it to their citizens to make their privacy or even that would be more in gray I guess the black market could be like selling it that is an exploit to hackers who are definitely going to use it to how that works ultimately it's a personal decision I'm a firm believer in responsible disclosure giving them enough time to fix it it's one of these things where you as a researcher you found this thing you really want to get fixed but and you know because the flip side is let's say it takes the company three months to develop a patch for this well now you knew about this three months ago and let's say it's being actively exploited but nobody knows about it now you cause basically three months of people that if you hacked on full disclosure would have been fixed so you kind of have to weigh those options on the other hand when you're talking about software like Windows the amount of testing that goes into Windows is insane they test it on all types of hardware like the test matrix just is crazy so it can take two or three months to effectively develop a patch most companies are good and a lot of the good thing that I've seen is if you decide to eventually go full disclosure you have a section there that says what steps you try to take in a land to talk to the company to prove that you kind of try to do your part okay final thing I want to talk about we got one more thing would you hire a hacker to secure your network bros constantly they have an they have an attacker mindset so yeah they know the attacker's mindset right bros yeah maybe there's no defense right they could maybe you know there's definitely a link there but I don't think it goes one to one just because you know how to attack something mean you don't have the funds on that questionable modems and their costs they've already gotten caught for committing fraud maybe their ethical compass is all messed up you know why would you want that to start with yeah exactly how would you fire this person maybe they could put that forward maybe they're going to open sewage gates as soon as you fire this right it's an open problem yeah so this is kind of a con succinct ways I don't want to hire a arsonist to be the fire marshal that I may know a lot about starting fires job responsibilities maybe at odds with their personal interests anyways people are hired a lot consulting firm if you want to hire him first up finding clothes on if you want to hire sorry and this will actually tie back into the Joaquin stock last week on Wednesday legal hacking penetration testing is a profession where you are hired by companies to break into their systems and perform vulnerability analysis which we're going to study in this class and followed by actual exploitation so you demonstrate to the company look these are what we could do it's usually black box where you don't have access to their source code so it's simulating a real attacker it's product processes yeah alright we'll stop here thanks everyone see you on Monday