Computer Security http://security.di.unimi.it/sicurezza1819 Chapter - - PowerPoint PPT Presentation

computer security
SMART_READER_LITE
LIVE PREVIEW

Computer Security http://security.di.unimi.it/sicurezza1819 Chapter - - PowerPoint PPT Presentation

Mar 02, 2023 344 likes •607 views

Computer Security http://security.di.unimi.it/sicurezza1819 Chapter 1: 1 / Info corso di Sicurezza Docente corso Andrea Lanzi: andrea.lanzi@unimi.it Pagina corso: http://security.di.unimi.it/sicurezza1819/ Orario di ricevimento su

slide-1
SLIDE 1

Chapter 1: 1

Computer Security

http://security.di.unimi.it/sicurezza1819 /

slide-2
SLIDE 2

Chapter 1: 2

Info corso di Sicurezza

▪ Docente corso Andrea Lanzi:

andrea.lanzi@unimi.it

▪ Pagina corso:

http://security.di.unimi.it/sicurezza1819/

▪ Orario di ricevimento su appuntamento

via e-mail.

slide-3
SLIDE 3

Chapter 1: 3

Chapter 1: History of Computer Security

slide-4
SLIDE 4

Chapter 1: 4

Introduction

▪ Security is a journey, not a destination. ▪ Computer security has been travelling for

forty years.

▪ The challenges faced have kept changing. ▪ So have the answers to familiar challenges. ▪ Security mechanisms must be seen in the

context of the IT landscape they were developed for.

slide-5
SLIDE 5

Chapter 1: 5

Epochs

▪ 1930s: people as “computers” ▪ 1940s: first electronic computers ▪ 1950s: start of an industry ▪ 1960s: software comes into its own ▪ 1970s: age of the mainframe ▪ 1980s: age of the PC ▪ 1990s: age of the Internet ▪ 2000s: age of the Web

slide-6
SLIDE 6

Chapter 1: 6

In recent years the Air Force has become increasingly aware of the problem of computer security. This problem has

intruded on virtually any aspect of USAF operations and

  • administration. The problem arises from a combination of factors that

includes: greater reliance on the computer as a data

processing and decision making tool in sensitive functional areas; the need to realize economies by consolidating ADP

resources thereby integrating or co-locating previously separate data processing operations; the emergence of complex resource sharing computer systems providing users with capabilities for sharing data and processes with other users; the extension of resource sharing concepts to networks of computers; and the slowly growing

recognition of security inadequacies of currently available computer systems.

Starting Point: Anderson Report, 1972

slide-7
SLIDE 7

Chapter 1: 7

1970s: Mainframes – Data Crunchers

▪ Technology: Winchester disk (IBM) 35-70 megabytes

memory.

▪ Application: data crunching in large organisations and

government departments.

▪ Protection of classified data in the defence sector

dominates security research and development.

▪ Social security applications and the like. ▪ Security controls in the system core: operating

systems, database management systems

slide-8
SLIDE 8

Chapter 1: 8

1970s: Security Issues

▪ Military applications:

➢ Anderson report ➢ Multi-level security (MLS) ➢ Bell LaPadula model

▪ Status today: High assurance systems developed

(e.g. Multics) but do not address today’s issues.

▪ Non-classified but sensitive applications

➢ DES, public research on cryptography ➢ Privacy legislation ➢ Statistical database security

slide-9
SLIDE 9

Chapter 1: 9

1980s: PCs – Office Workers

▪ Technology: Personal Computer, GUI, mouse, … ▪ Application: word processors, spreadsheets, i.e.

  • ffice work.

▪ Liberation from control by the IT department. ▪ Single-user machines processing unclassified data:

No need for multi-user security or for MLS.

▪ Risk analysis: no need for computer security. ▪ Security evaluation: Orange Book (TCSEC, 1983/85):

Driven by the defence applications of the 1970s.

slide-10
SLIDE 10

Chapter 1: 10

1980s: Security Issues

▪ Research on MLS systems still going strong; Orange

Book, MLS for relational databases.

▪ Clark-Wilson model: first appearance of “commercial

security” in mainstream security research.

▪ Worms and viruses: research proposals, before

appearing in the wild.

➢ Also the worm comes from Xerox park (1982) …

▪ Intel 80386 drops support for segmentation.

slide-11
SLIDE 11

Chapter 1: 11

1980s: An Early Worm

▪ First internet worm 1988, the famous Morris's Worm ▪ Buffer overflow on Fingerd daemon, force password

  • n remote login, bad configurations of Sendmail.

▪ The worm penetrated 5-10 \% of the machines on

internet.

▪ The person responsible for the worm was brought to

court and sentenced to a $ 10,050 fine and 400 hours

  • f community service.
slide-12
SLIDE 12

Chapter 1: 12

1990s: Internet – Surfers Paradise?

▪ Technology: Internet, commercially used. ▪ Applications: World Wide Web (static content), email,

entertainment (music, movies), …

▪ Single-user machine that had lost its defences in the

previous decade is now exposed to the “hostile” Internet.

▪ No control on who can send what to a machine on

the Internet.

slide-13
SLIDE 13

Chapter 1: 13

1990s: Internet – Surfers Paradise?

▪ Technology: Internet, commercially used, Web 1.0. ▪ Applications: Web surfing, email, entertainment, … ▪ Single-user machine that had lost its defences in the

previous decade now exposed to “hostile” Internet.

▪ No control on who can send what to a machine on

the Internet.

▪ Buffer overrun attacks:

➢ Aleph One (1996): Smashing the Stack for Fun and Profit

▪ “Add-on” security controls: firewalls, SSL, browser

sandbox as reference monitor, …

slide-14
SLIDE 14

Chapter 1: 14

1990s: Security Issues

▪ Crypto wars: is wide-spread use of strong cryptography a good idea? ➢ Internet security treated as a communications security problem. ▪ Buffer overrun attacks: ➢ Aleph One: Smashing the Stack for Fun and Profit ➢ Internet security is mainly an end systems issue! ▪ Java security model: the sandbox. ▪ Trusted Computing; DRM ▪ Status today: mature security protocols (IPsec, SSL/TLS), better software security.

slide-15
SLIDE 15

Chapter 1: 15

2000s: Web – e-Commerce

▪ Technology: Web services, WLAN, PKI?? ▪ Web 2.0: dynamic content ▪ B2C applications: Amazon, eBay, airlines, on-line

shops, Google, ...

▪ Criminal activity replaces “hackers”. ▪ Legislation to encourage use of electronic signatures. ▪ PKIs have not taken off; e-commerce has essentially

evolved without them.

slide-16
SLIDE 16

Chapter 1: 16

2000s: Security Issues

▪ SSL/TLS for secure sessions. ▪ Software security: the problems are shifting from the

  • perating systems to the applications (SQL injection,

cross-site scripting, DNS attack).

▪ Security controls moving to application layer: Web

pages start to perform security checks.

▪ Access control for virtual organisations: e.g. federated

identity management.

▪ Security of end systems managed by the user (take

care of your system).

slide-17
SLIDE 17

Chapter 1: 17

2000s: Security Issues

▪ Botnet as a new attack organization. ▪ CyberCrime is born which aim is to exploit

technologies business to make money.

▪ APT attack: “Advanced persistent threat (APT) usually

refers to a group, such as a government, with both the capability and the intent to persistently and effectively target a specific entity. The term is commonly use to espionage using a variety of intelligence gathering techniques to access sensitive information.”

▪ Different actors: Cybercrimimal, Hacktivists,

Governments.

slide-18
SLIDE 18

Chapter 1: 18

2000s: Target Attacks

Stuxnet is a computer virus that was discovered in June 2010. It was designed to attack Siemens Step7 software running on a Windows operating system. Stuxnet almost ruined one-fifth of the Iranian nuclear centrifuge by spinning out of control while simultaneously replaying the recorded system values. Duqu, a new worm was found, thought to be related to

  • Stuxnet. The Laboratory of Cryptography and System

Security (CrySyS) of Budapest University analyzed the malware, naming the threat Duqu. The exfiltrated data may be used to enable a future Stuxnet-like attack (2011)

slide-19
SLIDE 19

Chapter 1: 19

2010s: Eletronic weapon

▪ Exploit Kit and attack companies: Hacking Team,

Milan, Italy and Vupen France (0-day attack)

▪ They provide rootkit, zero day to the government to

espionage.

▪ FBI Behind the attack of anonimity network TOR.

slide-20
SLIDE 20

Chapter 1: 20

2018: Security Issues

slide-21
SLIDE 21

Chapter 1: 21

2018: Security Issues

slide-22
SLIDE 22

Chapter 1: 22

2018: Security Issues

slide-23
SLIDE 23

Chapter 1: 23

2018: Security Issues

slide-24
SLIDE 24

Chapter 1: 24

Cambridge Analytica

▪ The data analytics firm that worked with Donald

Trump’s election team and the winning Brexit campaign harvested millions of Facebook profiles of US voters, in one of the tech giant’s biggest ever data breaches.

▪ The data was collected through an app called

thisisyourdigitallife, built by academic Aleksandr Kogan, separately from his work at Cambridge University.

▪ However, the app also collected the information of

the test-takers’ Facebook friends, leading to the accumulation of a data pool tens of millions-strong

slide-25
SLIDE 25

Chapter 1: 25

Summary

▪ Innovations (mouse, GUI, PC, WWW, worms,

viruses) find their way out of research labs into the mass market.

▪ Innovations are not always used as expected: email

  • n the Internet, SMS in GSM.

▪ Also the users are inventive! ▪ When new technology are used in innovative ways,

  • ld security paradigms may no longer apply and the

well engineered ‘old’ security solutions become irrelevant.

▪ We can start all over again …