 through my testing and to make sure the recording would work and switching between slides and writing. It's a lot of you. Interesting. I hope all of you stick around towards the end. So, actually, surprisingly, I see a lot of familiar faces. Well, maybe not surprisingly, because I talk 340, but I see a lot of familiar faces, so it's good to see most of you. It's good to see everyone. I'm very happy to be teaching 465. I know on Thursday you guys got an overview of the class, but I'd like to take a little bit of time to kind of introduce me to all of you and maybe get to know each other a little bit, and then we'll kind of jump right into the course materials. So, for those that don't know me, I'm Adam DuPay. I'm an assistant professor in SINSEE of the computer science program. I did my, let's see, I've been here, this is my fourth year, so I've been here for three years now, and I did my PhD, so my background is, I did my undergrad at UC Santa Barbara, and I did basically their equivalent of the 4 plus 1 program, so I did four years of undergrad, one year of masters, and after I was done with that, probably like a lot of you, I was like, I am done with academia, I'm going to go work, I'm going to make tons of money, I never want to go in another classroom again, and I had a full-time job, so I was working at Microsoft, so doing software development as an STE, and during that time I was working on my master's project, which ended up becoming a research paper, and I remember I was working on it, and I was just like, I actually distinctly remember the moment, I was on the bus home from Microsoft and Redmond to my place in Seattle, and I remember reading this paper and going, wow, like I don't know, we did something new, we did something novel, something that nobody's ever done before, and we just kind of took that first step, but I can see where all those other research steps could take us and really kind of advance the field, and so that's when I kind of started thinking about a PhD, so I was at Microsoft for a year, decided to go back to UC Santa Barbara for my PhD, where I did that in four years, and then I was lucky enough to get done here, and I've been here for three years, so my research, this is like my area, so I consider myself like a system security researcher, so we want to find problems in all kinds of things. My PhD was on web application vulnerability analysis, so how can you automatically find security vulnerabilities in a web application, either through statically analyzing the code, or by dynamic black box interaction with the web application. Since then, I've worked on a number of things, I've gone into mobile network security with SDN, a little bit of Bitcoin research, yeah, kind of wherever the students are interested in going, that's kind of where we'll go, so that's a little bit about me, and we're going to have any questions before I jump into stuff. You can ask questions, don't be shy, everyone's friends here. How many of you had to choose for your PhD research, what made you choose to go into like web page vulnerability? So it was kind of partly a continuation of my master's, so my master's project was essentially, so there's tools out there, commercial tools, black box vulnerability analysis tools, like acrynetics, or proxy, has a scanning mode, that will try to automatically find vulnerabilities. One of the really difficult things is how do you evaluate these tools, you can run them on a certain website, they'll say I found five vulnerabilities, does that mean the tool is good? What's good about that? I found something, right, and you as a human can verify, let's say those five are actual real vulnerabilities, so that's good, right? No? Anybody think that's horrible? Want to argue the opposite point? Yes, so let's say exactly, I made this request on this page, I think this parameter is vulnerable to, let's say, cross-excripting. So if I find five of these, they're 100% correct. Yes, that's the big question, right? You can say, okay, I found five vulnerabilities, but how many vulnerabilities were there in that site? Were there only six? Which means the tool was pretty good. Were there a hundred? It was okay, maybe five percent is not so good. Were there a thousand or ten thousand, right? And so this lack of ground truth about the vulnerabilities makes it very difficult to evaluate these tools. So for our master project, we created a web application with no vulnerabilities. So I created it, I put 16 vulnerabilities in, and then we evaluated 11 of these, both open source and commercial tools on this website to see, okay, how many of these 16 vulnerabilities do they actually find? And that kind of led me in more of my research direction, which was, okay, so how do we improve these tools, right? How can we make these tools smarter, more intelligent? How can we get them to find more vulnerabilities? And so that's something I've been doing really since then, and I'm still working in that area, too, is how to make these tools smarter. Eventually, my goal is to put all of future uses, in case anybody's a penetration tester, I want to put them out of work, and I want to completely automate their process. So the idea is kind of how can we get programs to think and analyze the web application like a human. So that was that area. But I've done other work in hacking competitions and all kinds of things. So are you incorporating artificial intelligence into your program today? It depends on who you ask. So if you're going to give me money, I'd say, yes, I'm definitely doing artificial intelligence. If anybody wants to do that, I'm happy to talk. But more realistically, so there's kind of, I mean, part of the resurgence of AI is that they can consider anything if it's an algorithm that's artificial intelligence. Specifically for this new project that we are using a branch of machine learning called inductive programming. I'll give you a brief overview. The idea is what I realize is that when I'm testing a web application, I'm interacting with it, and I'm not just trying to understand how it works. I'm not just trying to build some model of how it works. I'm actually trying to infer how was that website likely written. What does that code look like that's executing on that remote server? But because of the website, I can't actually see that code. So I choose my knowledge as a web developer of what kind of mistakes do I make, what kind of mistakes do web developers make. And it turns out there's a branch of machine learning called inductive programming where the idea was programming is really hard, which probably hopefully you all would agree with. And wouldn't it be great if you could just give some program input output samples and say, hey, this is what I want my program to look like. And then it could actually synthesize you and create a program for you. So kind of we realized, hey, we can actually use these techniques on a web application. So we can interact with a web application and then try to infer what is the source code executing on that other side so that then we can try to find vulnerabilities in our abstracted source code. So kind of. But I think I'll merge more and more as we go along. And actually a lot of the AI people, it's a similar situation. You have some agent in an unknown environment, which is the website, it can interact with this environment, which can change that environment. So how do you do that with the goal of eventually finding vulnerabilities? This is fun. This is actually setting us up for a lot of what we're going to talk about today. Yes, 100%. A big factor of that, to be completely honest, is the salary cut. So I took like a third or a quarter salary cut to go back to be a PhD student. And part of that was the lag between paycheck and mindset. So kind of when you have a self-revelopment gig and you're 22 just out of school, you're just like, oh, something cool on Amazon. That's $100. Buy it. Without even thinking about it. And you just have like a stream of Amazon packages. That mentality does not connect when you go back for your PhD. You have to be, I and I, that took me a couple months to learn, was that, where did all my money go? When you look back at your Amazon purchase history and you're like, oh, that's why. So you have to tighten those things down. So that's one mindset. But I will say, I think it's good in another aspect. So to do your PhD, you have to do some new, fundamentally new, unique novel research. And that's not easy. In your classes, usually we give you a programming assignment and we know how to do. You go out there, you do it. In research, you often don't even, you may be kind of understanding the question, but maybe not. And so you're out there trying new things. It takes a lot of consistent and dedicated effort to really kind of bang your head against a research problem until you can actually make a breakthrough. So where I say a lot of PhD students fail is they come from undergrad or masters directly into a PhD. They're very smart people but they treat their research project like a class project. They're like, I'll work on it when I feel like it, when the inspiration strikes me. And you really can't have that mindset. So what I found nice is I approached the work mindset of, okay, I'm going to work for eight hours a day on this research project and doing that consistently over the course of weeks and months leads to results. Did your PhD work end up as like a tool or project or something released? Yes. So most I think three quarters of my research projects are open source code. It's on my GitHub page. It is just code. Our poor TA, the way I first talked to her is she emailed me from Iran where she was doing her masters and she was building on a research tool that I had developed. I think this was right when I started my faculty position. So I was incredibly impressed with everything. So I was like, I can't help you A and B. I feel so sorry for you that you have to go work with that code because it's crappy research code that you just kind of have to write. I mean it's even worse than prototype code because you just kind of need to get something. And oftentimes the prototype, you know what direction you're supposed to be going in. With a research prototype, you have to take all these different paths and sometimes you don't remove all that extraneous code. There's no real programming practices that you follow or anything. No tests. So yes, there it is. When you were at Microsoft, were you working on stuff similar to your research or just general software? No, actually. So that's part of what I realized. A small part of my decision to go back was to kind of focus on security. So at Microsoft, I was a software developer. I was under Windows Server and inside there I was on the user assistance team. So my team basically developed how to manage all of the in-house technical document writing tools as well as all the build management tools. So we had a custom content management system. We had a custom editor that the technical writers would use to write their technical content. So it was cool to me. I mean, I don't know, I really like solving interesting problems. So you know, there's a lot of interesting problems to be solved there, but I wasn't really doing something new, like something that has never been done. And I found out when I went back there that a couple of years ago I switched everything to markdown and like threw away all the stuff that we had built. So it's kind of sad. But it was fun while I was there. Anything else? We have probably time for about one or two more. So, stylized this course. So really, the goal of this course is to give you a broad overview of the entire computer security area and information assurance area. So there's a lot of courses that I'm sure you've seen the IA curriculum we have here at ASU. And it's actually one of the big strengths about ASU is we have so many security courses. So the idea of this course is to really give you a broad overview of the field and then you can kind of choose where you want to go in depth on certain topics. And so as part of that, my kind of personal preference when I'm not only teaching but as a student is I like interactive classes. So I'm not going to I hope I'm not. So stop me if I do. But I will hopefully not just stand up here and talk about slides and throw definitions at you. I want this to be kind of an interactive class where we are discussing and thinking about things. So this is why it is really important. If you have a question or you have something to say, raise your hand. Because if you don't, there's a high likelihood that I will just call on you. I don't have a phone system for this but I can kind of know where the questions are coming from. So I'm having a question from you 10 people over there. So I think that's good. I think we're all here to learn. So it's okay to make mistakes. It's okay to say something silly. Just be an adult. Okay. And then the other thing, speaking of adults, is everyone here an adult? 13, legally adults? Yes. There's no children president. If you are, that's fine. Hey, good on you. If you are, come see me afterwards. We can make special arrangements for you where I can remind you when things are due. But for the rest of you, I'm going to treat you like adults and professionals. So, you know, I'll announce when things are due on the mailing list. I expect you to read that. I'm not necessarily going to remind you in class or remind you the day before. So, you know, I'm going to treat you like adults so please act like them. So, why are we here? What is security? Yes, it is. It's a very rough question. So I just called it overview. But how can we even talk about is a system secure or is something secure? Or what could be the security problems there? If we don't even know if we don't have any language of what we're going to talk about here. So we want to throw out an aspect. You don't have to make a cover or try to enable the whole thing. Protection from attack. What's in attack? Anything you don't want? Protecting what? I was just going to say how sturdy or infallible it is. Infallible. That's a little bit of a big Do any of you write infallible code? I've seen some of your 340 projects. Whether that's true or not. What else? Finding vulnerabilities. Finding vulnerabilities? What does that mean? On top of protecting against attacks, looking for a way to prevent an attack from happening by looking for potential vulnerabilities in whatever system you're working on. So we have a couple high level notions here. We have this notion of an attack. We have this notion of what you actually want something to do. We have another notion of systems. What kind of things are we talking about? What does security apply to? Property in the right hands. Be that intellectual property or physical? Interesting. You sound kind of like a lawyer. I hope not. Lawyers are good people. It's kind of tied into this property. Your intellectual property you may want to keep safe. What other kinds of systems do we think about? Or things. We're talking really broad here. What about from over here? Protection from error. What's the difference between an error versus something else? User error. Maybe we want to protect them from themselves. We're definitely going to hit that in the course. What kind of systems? What things do you care about? Security. Money. Money? Personal information. How? What kind of money? My bank. Your bank. So I guess who deals with your bank security? I don't know. Do you manage your bank security? I don't know. So presumably you're trusting that they are some security managers in place and that they are keeping your money secure. If that fails, what happens if the bank gets robbed? You go broke. FDIC insured by the government? Is it up to $250,000 I want to say? Per account? I don't know exactly what the numbers are. Even if somebody goes and breaks into a bank and steals all the money, the federal government are insuring your money and saying you can still get that money back. Hopefully you're doing some of your own security for your bank account. Not getting into your account and unsecure networks. That's actually an interesting aspect. So you're eating your online money, not the physical money that's stored there. You're trusting that the bank is hiring the right security people, has the right security measures in place. But there is this shared aspect where if your password is let's say password and I know that and I log into your bank account and I can transfer money from your account to my account, I wouldn't be strong to say that the user has 100% of the blame there, but there's definitely this intermingling there. What are the kinds of systems? Phones? So what about phones? You keep a lot of your personal information on them nowadays, such as big accounts, emails for other people, addresses, phone numbers. So what are you worried about with your phone? Do you have an app on your phone that can steal all that? Someone just getting on the back end of the network, anything like that. What about losing your phone? Are you worried about your home? Does anybody not lock their doors when they leave? I was actually shocked. My parents were both with the Sacramento Sheriff's Department. So we literally always lock the door every single time we leave. So I was shocked to learn that other people don't do that, like as a habit. Like I just leave and lock the door, I don't know. But sometimes people leave doors open, right? So there's kind of multiple aspects here that we've been talking about. So there's different things that we care about security. So we care maybe about, you could say digital or I like the term computer security. If we can just all agree to try to never say the term cybersecurity in this class, I think I'll be incredibly happy and hopefully you'll be incredibly happy too. Part of the reason for this is that the security area really started using the term computer security to kind of as an umbrella term to describe computers, networks, everything kind of related to that. And then, so the military. So one of the three things that the military cares about securing was that much more broad. I think somebody said it. The country. The country, but how do they do that? One of the different fields that they care about. Land, sea and air? Land, sea and air, exactly. So these are what they consider their different spaces. So the air force, does the air space, army, and sea would be the navy. So these are the ways that the military thinks about physical combat in these three realms. But as computers became more and more important, and the internet became more and more important, they identified a fourth area. What do you think I call that? Cyberspace. Yeah, which was actually a term coined in one of the Gibson books. I don't remember which one. Does that remember? Is it Neuromancer? Yeah. Okay, yeah. So actually as a science fiction writer who coined this term cyberspace, which then the military started using to refer to this new fourth dimension in conflicts, was this cyberspace. And do we have to think about cyberspace? And so you have all of these academics and security professionals too, who talk about information assurance and computer security. And then you have all these politicians who I guess this is being recorded, who are not technically savvy throwing around the term cyberspace and cybersacurity, when really it's a term that came from sci-fi and has no meaning and no specifics. So this was an incredibly long rant about why we choose to use different terms. But it's important to remember who you're talking to. So for instance, I'm going to tomorrow to an all day workshop or a conference that's called the Cybersecurity Conference. And I'll be using that term a lot because I'll be talking with politicians and people in government and that's the language they speak. So I will definitely change the terms that I use. It kills me a little bit inside. But you have to do what you have to do. And so part of what this class is doing is this is us, especially in the beginning, establishing a shared vocabulary of terms of definition of, in some cases, jargon. But this is what security folks, computer security people use to talk with each other. This is the language that they use. So it's kind of important that you learn these norms so that you can communicate correctly. So one thing to notice here, I don't have anything on this slide. I don't know what security is. I mean, we have kind of notions of security. We can try to define it. Every definition is going to be a little bit different. But really it's kind of capturing this notion of, I'm trying to be as general as possible. So yes, all these notions that we talked about we want to ensure that something operates in the way it was intended to. It would be an okay kind of general definition of security. But this is way too broad. We can't think like this in terms of just things and breaking and what are they supposed to do and fallibility, all these good concepts. So there are three things that we kind of generally think about and if you've already seen these before, don't answer something that other people kind of think about them. So there's three components we try to think about when we think about the security of the system. And these are essentially more or less universal traits that apply to almost any system. I would say definitely or mostly to computer systems as well. So what do you care about? We talked about that. So banking. What do we actually care about in our bank system? Money gets to where it's supposed to be and everybody has how many balances they're supposed to have. What was that? Availability. Availability? So you want to actually be able to go to the bank whenever you want to, right? Would it be really annoying if you're trying to pull up your banking app and it said, oh sorry the bank hours are from 9 to 5 and try again later? Or even worse if there was no error message and you just saw that. So that's actually the third one that we'll talk about. Availability. So part of what a system should do is people should be allowed to use it. If nobody can use your system, then you really compromise what that thing is supposed to do. It literally does nothing. So that's a really good point. Availability is not like a binary yes or no thing. It could be maybe I can degrade something just enough to really bug you or maybe that's a good example of that. I think a related example is, so if you're going to rob a bank we've been talking about banks. If you're going to digitally rob a bank, they have a lot of alert systems that will send emails to administrators whenever something is attacked or they detect something is wrong. And so you as an attacker know this. What you'd love to do is to be able to shut down their email server because then they can never get those emails so they'll never know that they didn't receive those emails. But email server and I say server but it's probably a collection of servers and they're pretty beefy. So you can probably guess like a big organization has pretty good service and email deliverability. So then what do you do if you're an attacker? So what's your goal? Yeah, so that would be one aspect is create a lot of false alarms. So if you had a long time frame, you could do that. You could hit, let's say the bank system with a fake attack that launches an alert at 11am every morning and you do this for six months. And then on the six month and one day you actually do launch your attack that works. And they have kind of gotten used to this alert that just says oh yeah that's just that alert that always happens at this time. What else? Like somebody else says something? Yeah. Could overload a system? So many alerts that it just couldn't handle. Yeah, so this would be so this is actually relying on the alert system to overload the alert system but you can actually just overload the email system. So what they do in actual instances I've heard of this is they'll send not spam messages because spam messages are likely to be caught by their spam filter but literally just random email addresses with random content they will just fire at all of the employees on those systems so that their inboxes are just completely filled with garbage so they never even see those alerts. So this would be another essentially an attack on the availability of their email system not necessarily by taking it down or making it work too much but by giving it so much garbage that a human can't filter and sort through them to see the actual attack signals there. Cool. So availability is a big one? What other aspects do you care about? So we're talking about the phone. So what things do you care about with your phone? You couldn't find it? I guess that would be an availability problem, yes. What else? Speed. What was that? Speed. So how fast it is? You've got new apps like Apple Wall where you have multiple different apps for the single look-in space. So what are you worried about there? What could somebody do? Someone could access your entire portfolio and everything. Right, so you want essentially your credit card information that's stored on your phone you want that to be privately only accessible to you. Right, somebody else brought up earlier this idea of you have, I think, how do we phrase it? Sensitive content on your phone that you don't want other people to see. And so that would be another aspect. So let's say there's an awesome song that you've written in your notes of your phone app. So you want that to remain confidential to you. You wouldn't want somebody to steal that and go record your hit song that you should have done. So those are all kind of under the same umbrella of confidentiality. So which means we want to keep that information confidential that only the people who are authorized should be able to see that. So we want to keep things essentially secret. That's kind of also how I think of confidentiality, keeping things secret. We want to make sure that things are available. Is that it? So let's think about the bank attacker. Oh, you got something in the bank. So you may not, speaking of the bank example, you may actually not care whether people or an attacker knows how much money is in your account. It depends on how many zeros are in there I guess. But I mean that is something that you want. We don't go around blabbing the contents of our bank account. But what do we really care about there? Yes, that somebody can't change the value of our bank account to zero. Or maybe if we're in the negative then that's a good thing. But the idea is that number, that account balance, should only change if we authorize it to change by either making a transfer, making a withdrawal, spending somebody without credit card, however we do that. So we think of security in kind of three things. So we think about confidentiality. Are we keeping things that should be secret secret? We think about integrity was the second one we just talked about. So we want to make sure that an unauthorized party or somebody else can't modify and change our data without us knowing about it or without it actually being authorized. And so we're going to get into right now we're just doing kind of high overview so we can talk about these concepts. We're giving that access control which is a way that we can try to enforce confidentiality and integrity actually. Encryption will also be a mechanism that we'll use to enforce confidentiality. So for integrity, so what do we care so we talk about our bank account information. So we care about somebody not being able to zero out our account. So we'd want to probably prevent anyone from doing that. So integrity kind of has two aspects. One is prevention where you can stop something from actually occurring. The other though is what is the bank, maybe work at a bank or have worked at a bank. Good so I can make stuff up and you'll never know. So what does the bank do? Let's say quarterly. They do interest, what else do they do? Audits. Audits, what's an audit? It's a process. Worked in building and finance. The things they have to do is make sure that everybody that has access to this particular server, they have a valid business reason. So an email gets sent to that person's manager asking that manager is this person supposed to have access and if the response doesn't come back in a day that access can shut up. If they don't need access then they shouldn't have access. So generally in the audit is some company performing some action to kind of review and make sure that the state of the system matches. So for a bank we want to make sure that all the transactions were valid, that somebody didn't transfer $100 from one account to the other but that account balance actually increased by $300. So you want to make sure that all the transactions are matched up with all the accounts. So you take the account balances at the end, the account balances at the beginning, the series of transactions and you make sure that those matched. So it's kind of double checking. But why do they care about this? Because the damage is already done at that point. So why is this important? You have to figure out why those things happen. Yes, you end, you need to know that they actually did happen. So that you can look into it to try to understand how can we stop this in the future. So this is the other side of the coin kind of an integrity, I mean this idea of detection. So prevention is great because you can try to stop things from happening but often times you can't prevent everything from occurring. So you want some kind of so you also want to be able to detect when the security of the system has been compromised. That way you can look at it, you can review it, you can fix it, you can do all those kinds of things. That third thing is availability. So kind of the term that we usually use is the denial of service attack. So usually do some kind of denial of service attack that will take down some server or system or I think my favorite denial of service story is when I was in my new employee orientation at Microsoft for my internship, when I interned there, we were having a competition to, I don't know, it was a stupid like different thing but my friend was on the other team and it was like a, it must have been like some kind of tricky a thing and so I saw him looking up on his phone, this was probably 2007, 2008, not a lot of people had internet on their phones, so I saw him using the internet on his phone to look up the answer so I started calling his phone so that it would keep ringing and popping up my picture and you'd have to stop that and then go back to the, to his browsing so I just kept doing that over and over to try to basically denial of service him and make it so that he couldn't look up the answer. He was not very happy afterwards. It was probably not a good way to make friends but he got over it. Any questions on these? In regards to detection, could you quantify maybe how much it is automated and how often there's someone sitting behind a desk looking after these things? No. The short answer. Can I quantify? No. So this is actually, it'll be something that we'll talk about kind of throughout but really security and thinking about the security of the system is very context dependent so I can't just answer this question kind of vacuum, right? Of how much detection should be, you should be doing, how much of that detection should be automated versus manual and if you think about it, it really makes sense, right? Because let's say you really want your bank, your Chase, your Charles Schwab to actually be putting a lot of money and effort into these practices, into detecting things and maintaining the security of their network. It's probably less important I like to use the website that I buy my socks from, right? They don't even store my credit card number, they use Stripe or Paypal or something so there's not a lot of my information there. They shouldn't be spending the same amount of money as something like Chase or Schwab on this detection mechanisms because it just doesn't make sense business-wise for them, right? And so then if you think about what should the website be doing versus what does the military do or what should the military be doing, right? They have a completely different way of thinking about this and for them these cost ratios change too, right? They have people there that they can literally assign to a job of looking through alerts and traffic logs and all those kinds of stuff so it's a difficult question and there's no right answers. Every organization, every system has to make their own trade-offs and the questions on these, these are super important. These three things. I mean these are something you should know. Alright so these are kind of very broad categories when we think about what makes up security, right? We want to make sure we're thinking about the confidentiality of the integrity and the availability of systems. Super easy way to memorize this is CIA. That's how I always memorize it and that's why I always write it in this order. You just have to watch out when you're at a security conference. You say confidentiality, integrity, availability. If you just say CIA people get a little weird. So these kind of make up essentially the properties we want to ensure about our systems. We want to ensure that the confidential data is confidential, the data integrity is maintained, and the integrity of the system is maintained, and that the system is available. But we also want to think about the other side. We want to think about what are the possible threats to our system. And so this is kind of an important concept that is again specific to a system. So we need to talk about threats kind of in the context of a specific system. For instance, let's say that I said on a website you could completely change the content of any of the pages on that website. That sound like a threat? Is it in every single website? What website would not want that? Whitehouse.gov. Whitehouse.gov, yes. Would not want anybody to be able to change any of the content on any of those pages. Would any website want that? Wikipedia. Yeah, like our favorite website. How would we ever know things? It's actually funny, it's like watching old TV shows and they're like standing around talking about old actors or something. And I'm like, how do you spell the same? I don't know. I'm just like, look it up on Wikipedia. But it doesn't exist yet. So similarly to threats, we think about threats towards a system. And we'll talk about kind of general classes of threats. But really when we say what kind of threats apply, what kind of things apply, it's about the context and what that system is supposed to do. So Wikipedia is supposed to be that anybody can edit any page. Is that actually the case? Why not? Because that would lead to anarchy and insanity. So what controls does Wikipedia have in place? They can automatically detect like, joke edits and stuff like that all the time. Yeah, I've been on the receiving end of that. Oh, weird. Not that you've been on the receiving end, but weird that they have mechanisms to detect joke edits. That's funny. Like profanity and stuff. Yeah, so profanity filters, that would make sense. Yeah. I know. Yes. So yeah, they built this kind of hierarchy of different people that have editors and contributors and I don't know, all this crazy stuff. It's something super controversial that they can just lock a page from being edited. And they also have the ability, you have all the history so you can, editors can easily revert to any point in time. They've built up all these structures because just allowing completely everyone to edit everything is insane. So this is why discussing even the security of something like Wikipedia, which at its core sounds very easy, anybody should be able to contribute to this encyclopedia to add knowledge is actually very difficult to try to even express what a security mean in terms of Wikipedia. But it's clear that this ability for anyone to edit any page on Wikipedia or to create any page doesn't exist in every website and would literally be threats that other websites consider because what happens if our server gets hacked and somebody changes the content of our page. So this is the fun part. So this is why I love security is we get to think like attackers without actually getting into trouble and going to jail because we have to think through what are the things that an attacker can do. So what are some kind of threats? Let's just talk about threats. What things should we be worried about? Let's kind of think about computer systems instead of house threats because we'll talk about that in a second. What things they shouldn't be able to do? What kinds of things? So now we're getting a little bit more specific. So rather than just authorize users doing a lot of threats things this is probably a good catch-all. Well, if it was a password protected site you could change people's passwords so they wouldn't have access. Yeah, so that would be definitely an availability. So yeah, trying to kind of attack people by changing their passwords or resetting their passwords or doing something like that so they can't log in. You can do that with an admin maybe so they can't stop you. Hashes, patterns that are coming through on a data transfer so they can actually enter into other hashes and be able to figure out what passwords are. Yes, so I'm going to broadly describe that as essentially disclosure of data that you want to keep safe. So you want to keep people's passwords safe. If you disclose that data that's a threat that websites have to deal with and think about. Is it possible for somebody to disclose this data? Tricking in user input box to kind of run malicious code on something that may not have proper intents or what was originally intended. So what kind of threat would that cause to the system? You could get it to dump info from tables such as passwords or that kind of stuff. You could get it to give you very personal information if it is money-seek or that kind of stuff. Yeah, so we'll get into the specific ways you go about doing this but generally, any kind of way you can disclose have the system disclose data to you, have the system if you can get a system to run code of your choosing it's kind of game over at that point. You can essentially do whatever the system allows you to do. But it does it again depend on context. Let's say I give you all access to one of my servers and you each can SSH into my server. If you then do that and you say but I can run arbitrary commands and do arbitrary things on this server. I say yeah that's the point of giving you access to the server. You can write C code you can compile it, you can run it. That's the point but you're running it as your user. Now if you find a way to run code as another user or edit and alter another user's files then we have a problem. Yeah. Destruction of data yeah kind of another flip side of availability is if I can destroy your data if I can somehow destroy go into all of the current companies, hack into their databases and destroy them and all their backups at the same time. I could cause mass havoc. Send to much traffic so you can't use it anymore. Yeah so maybe overloading so kind of one threat in the availability space would be deleting data, overloading the system resources whether it be network, server, disk, any of these kinds of things. Yeah. Our user security for instance like if our users get hacked from our website like someone put like Java script or something in there, I get a script reduction and it takes them on our site to someone else's site and that should allow Java script to access actually. Yeah so yeah the threat would be kind of the web security stuff will definitely get into it so it's tricky and a hairy beast but we'll definitely talk about those aspects. So yeah some of the things we've talked about disclosure is kind of a very broad threat category we can think about me stealing your user name passwords and kind of like logging in as you identify that. I don't know I'm not a lawyer. Is it good? Social engineering so there's yeah human oriented threats so what is social engineering? So as opposed to attacking the network we're attacking the weakest link in the network itself? Yeah so a lot of times actually a lot of kind of modern attacks especially it seems to be against domain registrar so maybe I shouldn't put this idea in your head so don't do this but if you wanted to take over my domain name right one way to do that would be to maybe have call in to go daddy and say hey I really want to you know I need to change my password I'm locked out and they say okay we'll verify this information and you say I'm sorry I can't do that and I'm on my way to class and I have to teach this class and this domain name for my class and I just my 132 students who have no idea what it's like to stand in front of 132 students and realize that they're not going to be able to access their homework and this is incredibly critical you just keep talking over and over until the customer service representative finally relents to reset your password to something. This happened to go daddy in particular but I've definitely heard that this happens and if you don't believe it you can go look there's YouTube videos of social engineering attacks where people do is a journalist will go to somebody who's good at this and they'll say something like I don't know change the address on my cell phone bill or whatever and so they'll call up AT&T and do exactly this thing to kind of convince a human to do it so I think this leads us into our next one. Deception, right so this is kind of a actually I think it's a little bit too broad but it's an interesting way to think about threats of how can you actually verify that somebody is like how do you guys actually know that I am at a buffet oh then take about that video I'm just going to be feeding you BS, right. This happens in books and movies all the time Harry Potter people impersonate each other constantly and they're really performing deception and trying to impersonate other people because it's actually very difficult to accurately determine somebody's identity I don't even know if any of you are who say they are a new student comes in like my PhD students they come in they're like hi I'm so and so and I'm like okay I know that name and so great guys we're working together now right it could be somebody random you don't know disruption right so this kind of goes under all those threats and attacks that we talked about all types of availability attacks right if I can disrupt your system then that's a threat we kind of need to consider and think about and these are pretty broad categories so this is kind of like a broad categorical thing that we'll kind of talk about and then we'll go a little bit more in depth into common threats that you guys have to deal with and then you can serve some kind of control or mechanism right so this could be maybe even if I don't know the admin's username and password maybe by taking advantage of a vulnerability in the website I can log in as the admin right so these are kind of the broad categories let's see so a little bit more level some kind of low level threats we actually do need to think about so why is Edward Snowden in because he committed treason because he committed treason why what was the treasonous act disclosing all of the NSA did what did he disclose NSA programs yeah but what was the result of that so we know the program is over there he disclosed the NSA surveillance surveillance of what us everyone can yeah so part of actually one of the major really concrete things that actually he leaked and that was actually fixed as a result so Google if you're not aware has huge data centers full of servers and machines and they're actually super cool and then all color coded like in the Google primary colors so it looks really cool but that's besides the point but when the data centers would I believe internally and also externally between data centers exchange data they wouldn't encrypt that data right so think about all of the data you have on Google all your emails right these are being you know replicated across servers inside Google and Google thought hey this is all internal to Google things so you know what I mean it's kind of a natural business thing is you encrypt data coming in but once it's in you kind of trust your systems but what the result of the NSA leaks was that Google and other companies essentially the NSA had wiretaps inside their organizations I can't remember exactly if it was routers or what the exact mechanism was it's been a while but by doing this they were able to snoop on all the Google data and look at and observe all of the data that Google thought was confidential and private to Google but it actually was not so as a result of this Google now encrypts all the communications between each of the servers as a direct result of that so this is kind of one kind of one category and idea and threat that is much more concrete is worrying about snooping or also called wiretapping so wiretapping is a super old term when they actually wanted to listen in on phone calls and had to put the wire into the phone wire to listen in on the phone call it doesn't make sense at all as a term itself but it's still kind of the thing that we use and this cases does snooping come up in wiretapping so we're talking about NSA listening on traffic, yeah currently we've gone wrong but I've heard there's issues with lack of encryption in terms of the data our cell phones send back through AT&T, through Verizon, etc. interesting so the data and say I think if I remember correctly 4G and above like 4G and LTE by default they do use encryption to talk to the base station but if your adversary includes somebody who's willing to create a fake base station I believe definitely 3G I think probably 4G basically your phone communicates with the base station to say hey what kind of encryption are we using and one of the responses from the base station can be no encryption and so if somebody wanted to snoop they could actively create a base station and say no encryption and then they would get access to all of your information I mean it depends on kind of higher level things too what so yeah that's definitely one what else so similar to mobile ooh yes I'd say yes so physical snooping so what's shoulder surfing that when you go surfing I'll like yeah so do anyone ever worry about when they're logging into their cell so who uses a pin on their cell phone the pattern yeah who uses a pattern who doesn't use anything hopefully this class will convince you otherwise or maybe you've already evaluated your threat it's all on your phone if not hopefully you could change yeah so one of the threats there when you're unlocking your phone is it's a whatever 6 digit pin it's a some kind of pattern is that if somebody's looking at what you're doing can they actually understand and this gets even worse now with things like the old Google glass what's the Snapchat classes that's just what they call it yeah okay so with Google glass Snapchat had these glasses where you could I think automatically post or something I don't know the point is with all kinds of recording devices that you can put in glasses cell phones all these kind of things the attacker doesn't even have to memorize what your pattern is right off the bat all they have to do is see it and record it and play it back and think about it later so when they steal your cell phone they can immediately unlock it and maybe get into it install some backdoor keylogger some kind of thing that's going to steal your information and then put it back if they don't actually want to steal it they just want to steal all the information so yeah physical snooping is an interesting one so this is why I always when either my students or somebody I work with is like logging into their computer I kind of deliberately make a point to look away to remember their password just from them typing it but at least I'm communicating to them that I know that this is a thing and so I'm deliberately not going to do that here yeah that's good so we're talking about modification and alteration of data right so this is definitely a threat so can somebody alter this data so the question of the bank is can somebody alter my bank balance who is not me it's in where someone was hacking the group out of those phones they're at their USB charging station I try to prevent someone from basically doing something like that yeah so there's physical threats so we're talking about phones shoulder snooping we're talking about installing a malicious app so often times a USB device will provide you a charge so pretend to be a computer and try to interact with your phone so older versions of Android used to just 100% allow that with no user notification newer versions I think will pop up something that says hey this machine is trying to connect to you do you want to allow it you'd be like I plugged in at an airport charging station so no that's definitely difficult so one of the subcategories is actually a key term that will come up again and again in security modification alteration is what's known as a man in the middle attack it should be a man or a woman in the middle it's not really but an attacker in the middle who's altering and changing traffic that goes through so the difference between basically the snooping right so here the NSA or some let's say large government organization is just listening to all the packets all the traffic looking at what's going on here with the man in the middle attack you can actually change those values so let's say I'm in between the connection from you to your bank and you say hey I want to transfer $1,000 from my account A into my account B I look at that request and I go actually I'm going to change that account B to Adam's account C and now the bank sees it and sees hey you want to transfer your account $1,000 from A to C great done and the transaction goes through so this is a really big threat that we need to think about and we'll be discussing a lot is man in the middle attack alright so we talk about this masquerading spoofing so this kind of goes into the deception broad category so we can talk about physically how do we even know you know who we are right establishing identity but even more so than that let's say on my network I have it let's say I have a server at home and I have it be the case where my laptop can always SSH into the server with no password right and I've set that up because of the IP address of my laptop so you get onto my network or let's say I buy an Amazon Echo or something put it in my network now it's inside my network somebody acts into that so it is now inside my network now they can't SSH into my server because it's not the right IP address so the question is and the threat is could they try to spoof my laptop's IP address in order to SSH into that machine so we'll look at all kinds of these trust issues so this is one of the key things so really what we're trying to develop here is an adversarial mindset of looking at a system and thinking what are all the different ways that I can break it and by going over and trying to learn about and talk about these common threats we can say okay I know about this attack could we snoop that traffic what happens if we were able to snoop that traffic is there anything we could do with that could I modify or change that traffic how would the system respond to that what if I spoofed could I somehow spoof another user so even though these are high level concepts we'll see if they have a tight kind of mixing with the actual implementation so you need to know all this technology involved to be able to actually answer this question of is this possible so what does delegation mean is it just what I do when I want my T to teach my class for me answers yes but what else is it and what makes that different from masquerading exactly so I may let's say I don't have a an assistant that would be cool but let's say I had an assistant and I could delegate access to my email to this person so that if they were to log into the system it's 100% okay right this is an authorized login because I've delegated this authority to this other third party whereas if you one of you guesses my password and logs in is me that is not authorized and so it's definitely you masquerading and you're attacking the system. Repudiation, what does it mean? Yes so denying something that you've done or being able to deny something that you've done right so the question is if I think of a real world example great example right yeah so then the credit card company is kind of taking the hit and they actually have teams that try to decide did you actually make this charge or not right and so they can have data they can look at different time zones different kinds of things to try to determine did you actually make this charge or not or maybe they're so big they just decide it's under like loss prevention so it's fine it's like a five dollar charge I don't know but yeah so this is kind of a common threat right is how can somebody can they say oh I never got this right and how can we develop mechanisms and systems to do the opposite right so that you can actually say no you did send this you did say this thing and here's proof and here's why cool similar kind of concept denial of receipt I never got that right so you could think about Amazon when Amazon chips you a box and they say delivered and you say it's not delivered what are you talking about somebody must have stolen it right and they'll just send you a new one most of the time depends on yeah which I've had happen to me I've had boxes stolen before and it just but Amazon kind of has a cost to do business so they just send you a new one and everything's fine so yeah this is definitely a common threat that we want to to think about it kind of related the last two are very similar to this idea we've kind of been talking over and over again about availability right I may be able to introduce some delay into the system I may be able to attack the system cause some denial of service attacks these are all definitely common threats so now that we've put our attacker hats on and we've thought about attackers how do we defend against threats you're developing some system you're in charge of securing this system how do you defend against all those threats just guess hope the best multiple steps of verification what are you verifying someone gave you a password and they text their phone or something is that person versus oh you text them and it's like no app was not me yeah so we could look at the steps I don't know what are we trying to do yeah so make it difficult for them to get the stuff but again part of the problem is this is a context dependent problem so it depends on what thing we're talking about the first step is really to understand the system is the system and what should it do we'll talk a little bit later about what we mean there but once we know what it is and what it should do we can try some of the attacks against the system does that prove the if none of the attacks were successful does that prove that the system is secure so we first want to think what should the system do and then we want to come up with some policies and say okay this is security policies this is what the system should do so the first step is just articulating what is the security policy for your system exactly so yeah so basically you need some notion of what is and is not allowed if you don't have that then you do not understand the system well enough to be able to even launch attacks or to be able to validate that those attacks were successful and so we're going to do a little bit about policy so policy is kind of this high level what is allowed and what is not allowed how do we enforce that policy magically happen? yes so we need some kind of mechanisms and that mechanism could be access control it could be a corporate policy it could be we'll look at different types of mechanisms but generally we just have some mechanisms so we have a policy which tells us what the system should and should not do and mechanisms are things that try to implement and enforce that policy these will be actual controls that do something so for instance you all been in the break yard right? what's the access policy of the break yard what's the policy what was that? request access what was the default policy? can you go to the break yard right now? until 6pm and not before when? does anyone know the before time? I think it's 7 I don't want to say so I think I got here once for a defense that was at 7 I got early and left my badge at home when I couldn't get in it's either 7 or 8 so the policy the break yards access control security policy says that anybody should be able to access the break yard building between the hours of 7 and 7am and 6pm right but it says that people should not be able to access the building after that unless what? unless you have authorized permission unless you filled out an Isaac form which is signed by a faculty member that you have specific access what about days of the week does anybody try to go to the break yard on the weekend? so that's another point right so our policy needs to be more fine grained it's not just you can't access the entire building only between 7 and 6pm right as students you can I believe automatically access the second floor anytime right kind of 210 and then the labs back there but you can't go to the fourth floor if you tried your badge on the fourth floor you wouldn't be able to do it so we not only need to think like this policy is dependent on the time right so there's a time aspect there's a day aspect there's even a holiday aspect I don't know how but the system knows the holidays and so if you come in on a Monday it's a holiday I have to badge in even though it's you know between 7 and 6 on a Monday ah good yes that would be a very terrible policy but it says you can you can only leave between certain you know if it didn't specify that anyone can leave the building and what happens if the fire alarms go off no day is shut down I would guess that you could probably still enter I believe all those controls would be disabled and the doors you could go through but I haven't actually checked that I don't want to but it's an important thing to consider right because so these are all part of the policy of what's the and it seems insanely simple right for university we have buildings we have times that we can access those buildings but it's actually incredibly complex and notice that we didn't talk really about the badges or badging into the building or any of the actual mechanisms because that's really not important right if the building I may be getting a little bit of a stretch but if the building just said hey you can't if the policy was hey these are the only times you can access this building and the mechanism is if we catch you doing this and you don't have access we'll kick you out is that effective I mean out of ASU I mean you have mechanisms that could enforce the policy right but it may not be the best mechanism and we'll talk about different ways of doing that on Thursday but the point is that the policy and the mechanism are separate concepts and separate things right we can derive the policy if we don't know it exactly from the mechanisms but the badge door itself is not the policy right the badge door the system the Isaac system is just enforcing our policy using the security mechanism so think about defending a house and think about what policies you want and what types of mechanisms you want to enforce those policies