Overview CS161 Computer Security Dawn Song dawnsong cs berkeley edu 1 General Information 4 units Prerequisites CS 61C Machine Structures Math 55 or CS 70 Discrete Mathematics Lecture MW 9 10 30am 310 Soda Berkeley time class starts at 9 10am Discussion sections 2 Course Staff Professor Dawn Song http www cs berkeley edu dawnsong GSI Prateek Saxena 3 Textbooks Required Computer Security 2nd ed Gollmann 1st ed is insufficient Assigned readings will be posted Security in Computing 4th ed Pfleeger Pfleeger Optional Security Engineering Anderson Optional Available in online form 4 Resources Website http inst eecs berkeley edu cs161 fa08 Mailing list cs161 fall08 lists eecs berkeley edu https lists eecs berkeley edu sympa info cs161 spring08 Used for announcements especially urgent notices If you haven t subscribed pls do asap Newsgroup Newsgroup ucb class cs161 Server news berkeley edu from campus authnews berkeley edu off campus See http www net berkeley edu usenet For general class related questions pls post on newsgroup instead of emailing the staff so other students can benefit too 5 Course Load 2 Exams closed book Midterm exam covers the first half of the course Final exam covers the second half of the course 5 Homeworks Three homeworks for first half of semester Two homeworks for second half of semester 3 Projects In groups of two 6 Grading 20 Homeworks 4 each 40 Project 5 Proj 1 15 Proj 2 20 Proj 3 20 Midterm exam 20 Final exam 7 Class Participation Showing up on time is the first step Asking answering questions is encouraged Turn off your cell phone ring in class Treat students and staff with respect 8 Collaborative Work Projects will be in groups of two Homeworks are done individually You may use the following resources Instructors TAs assigned texts posted notes No Googling for answers Consult with TAs over problem cases Always cite references plagiarism is not permitted 9 Academic Dishonesty Policy Copying all or part of another person s work or using reference material not specifically allowed are forms of cheating and will not be tolerated http www eecs berkeley edu Policies acad dis shtml 10 Note on Security Vulnerabilities From time to time we may discuss vulnerabilities in widelydeployed computer systems This is not intended as an invitation to go exploit those vulnerabilities It is important that we be able to discuss real world experience candidly students are expected to behave responsibly Berkeley policy is very clear you may not break into machines that are not your own you may not attempt to attack or subvert system security Breaking into other people s systems is inappropriate and the existence of a security hole is no excuse 11 Typical Lecture Format Attention 20 min Break 20 min Break 25 min In Conclusion Time 2 Minute Review 20 Minute Lecture 5 Minute Administrative Matters 3 Minute Break stretch 20 Minute Lecture 5 Minute Break water stretch 25 Minute Lecture Instructors will come to class early stay after to answer questions 12 Computer Security is Important Unpatched PC survives less than 16 min SANS04 10billion annual financial loss ComputerEconomics05 Worms CodeRed Infected 500 000 servers 2 6billion in damage CNET03 SQL Slammer Internet lost connectivity affected 911 ATM etc Botnets Over 6 million bot infected computers in 3 months Symantec06 61 U S computers infected with spyware National Cyber Security Alliance06 13 Trends Attacks are increasing in scale sophistication severity Real financial incentives 9000 8000 7000 6000 5000 4000 3000 2000 1000 0 1995 1997 1999 2001 2003 2005 CERT Vulnerabilities reported 14 Most common attacks on systems 2006 MITRE CVE stats 21 5 of CVEs were XSS 14 SQL injection 9 5 php includes 7 9 buffer overflow 2005 was the first year that XSS jumped ahead of buffer overflows 15 1 A Thriving Underground Economy Average bot costs 0 04 Zero day vulnerability for 75K SecurityFocus07 Excerpt from Underground Economy IRC Network With one IRC channel 24 hr period just a few samples Accounts worth 1 599 335 80 have been stolen The Underground Economy Priceless login Dec06 16 Automatic Tools for Attacks I anti captcha com We work with tens of thousands of people from all over the world who are ready to work for a small payment to convert text pictures sent by you You give the CAPTCHAs to our server which hands it to the workers In a few seconds our server will receive the converted CAPTCHA as text and relay it back to you As a rule this time does not exceed 20 seconds and that s quite fast enough for a successful registration everywhere there is CAPTCHA in use 17 Automatic Tools for Attacks II Tools to automatically build your malware Select from menu anti AV feature spam ddos anti VM feature etc Tools to automatically distribute your malware Currently loads cc claims to have 264 552 hacked systems in more than a dozen countries that it can use as hosts for any malicious software that clients want to install The latest details from the statistics page displayed for members says the service has gained some 1 679 new infectable nodes in the last two hours and more than 33 000 over the past 24 hours 18 Load cc 19 January 2007 Trends 2007 Security Budgets Increase The Transition To Information Risk Management Begins Security Spending Variance By Industry 20 This Class How to build secure systems How to evaluate security of systems Topics in this class Crypto software security OS security Web security Network security other advanced topics 21 Steal cars with a laptop In April 07 high tech criminals made international headlines when they used a laptop and transmitter to open the locks and start the ignition of an armor plated BMW X5 belonging to soccer player David Beckham the second X5 stolen from him using this technology within six months Beckham s BMW X5s were stolen by thieves who hacked into the codes for the vehicles RFID chips 22 2 Class Topics I Part I Introduction to Cryptography Secret key encryption Public key encryption Hash functions MACs Digital signatures Authentication key exchange protocols Secret sharing random number generator Timing attacks fault attacks etc 23 IPhone Security Flaw Jul 2007 researchers at Independent Security Evaluators said that they could take control of iPhones through a WiFi connection or by tricking users into going to a Web site that contains malicious code The hack the first reported allowed them to tap the wealth of personal information the phones contain Charles Miller shown on his iPhone
View Full Document
Unlocking...