Why are your linux files secure?
|
|
- Thomas Boone
- 5 years ago
- Views:
Transcription
1 Security Page 1 Why are your linux files secure? Thursday, November 29, :48 AM Why are your linux files secure? Part 1: the concept of identity. user, group,... Part 2: the concept of protection. the protection word: rwxr-xr-- Part 3: mutating protections (legally). chmod, chgrp (chown) Part 4: mutating protections (illegally).
2 Security Page 2 chmod, chgrp, chown Wednesday, December 6, :29 PM Protection manipulations require that one owns the inode. chmod {octal number} {file or directory} "change mode": set protection for thing. chgrp {group name} {file or directory} change group chown {user name} {file or directory} change ownership (root only)
3 Security Page 3 What you don't want to see in your account Wednesday, November 30, :56 PM What you don't want to see in your account: foo mode=rwsrwsrwx owner=root group=root Setuid root Setgid root world executable Whoever runs this gets root on your workstation. What a rootkit actually does, in some form: cp /bin/csh foo chown root foo chgrp root foo chmod foo so that anyone who runs foo gets a root shell. Almost as bad: for a normal user: cp /bin/csh bar chmod bar so that anyone who runs bar gets access to your account. This just requires your privilege, not root.
4 Security Page 4 The chain of privilege Sunday, December 04, :36 PM The chain of privilege People login as users, which have groups and own files, which determine what the user can do. Privilege can only be changed via processes. which can run with privileges of the invoker (default) or the owner (or group) (setuid, setgid) of the file that is run.
5 Security Page 5 A misconception on the midterm Wednesday, December 04, :28 PM Many people thought that one's privileges are related to parent-child relationships. This is false. The owner of a process retains powers over it, even if it becomes a child of init. The process has the concept of userid (which determines who can send signals to it) and the concept of groupid (which determines which group owns files that it creates). It is ownership of the process that determines who can manipulate it.
6 Security Page 6 How login works Tuesday, December 06, :10 AM How login works: login is run by root. accepts your password. hashes it. compares with (protected) hash of real password (in /etc/shadow or similar). If there is a match, then: fork a child downgrade child privilege to that of user (setuid, setgid, seteuid, setegid) execl the user's shell from the child.
7 Security Page 7 Security and Privacy Wednesday, November 30, :02 PM Security and Privacy Security: you control the things you own. Privacy: it is not seen by others without your permission. In an OS, these are (nearly) equivalent concepts. Two other important concepts Identity: the extent to which the actions of an electronic entity can be traced to a real person. Transparency: the extent to which we can see what people do. Basic problem of security: the internet exhibits weak identity and low transparency.
8 Security Page 8 Two levels of security/privacy Sunday, December 04, :55 PM Two levels of security/privacy in an operating system: Account security: can others control your (personal) account? OS security: can others control your operating system itself? Both of these involve giving a process permissions that it does not deserve.
9 Security Page 9 What can a regular user do? Sunday, December 04, :16 PM What can a regular user do? Grant anyone the power to become the user. Set traps for other users. Set up a rogue network service. Attack other machines (in the local network). Poison DNS, ARP, etc. Send containing malicious code to others.
10 Security Page 10 What can root do? Tuesday, December 06, :39 PM What can root do? Compromise the accounts of all users. Become any user and do anything. Corrupt services used by external machines. Poison the basic infrastructure of the internet.
11 Security Page 11 Warning: the law and cracking Sunday, December 04, :09 PM Warning: the law and cracking The things I will now describe are illegal. I do not condone these things. You should not engage in them. But you must know what others can do to you.
12 Security Page 12 Protecting yourself Sunday, December 04, :56 PM Protecting yourself Assume nothing. If it looks too good to be true, it is. Understand that people can do anything, Even very implausible things.
13 Security Page 13 An aside: human factors of security Wednesday, December 04, :02 PM According to a 2007 study, "Do you want to allow this software to make changes?" is -- in the minds of most users -- semantically equivalent to "Do you want to get your work done, or not?" Weakest link in any system is the human user.
14 Security Page 14 Social engineering Sunday, December 04, :01 PM Social Engineering A professional hacker's most effective tool. Convince others that you are someone you're not: A microsoft technical support specialist. An amazon technical support person. An ebay technical support person. (Use your imagination) In the natural course of playing that role, trick your victims into compromising their security and privacy: By running untrusted software. By disclosing their passwords, either directly or indirectly.
15 Security Page 15 Security Myths and Realities Sunday, December 04, :50 PM Security Myths and Realities Myth: The main cause of security breaches is technical. The most effective attacks trick the machine. The most effective attack vector is a software weakness. Reality: The main cause of very serious security breaches is human error. The most effective attacks trick users. The most effective attack vector is to con a user into believing something that isn' t true. Cracking is a confidence game.
16 Security Page 16 Hacking versus cracking Sunday, December 04, :56 PM Hacking versus cracking Hacking has a positive and a negative connotation: Positive: someone who writes mystically powerful code. Negative: someone who breaks into computers. Cracking is less confusing: No positive connotation. Breaks into computers, by any means necessary. Not even necessarily a good programmer.
17 Security Page 17 Why crackers crack? Tuesday, December 06, :35 AM Why do crackers crack? Illusion of power. Curiosity. Hatred. Money. What do crackers want? Anonymity. to send Spam to attack other machines. CPU cycles. to run bots and other interesting software. Bandwidth. to run bots and other interesting software.
18 Security Page 18 Principles of effective cracking Wednesday, November 30, :06 PM Principles of effective cracking 1. Don't get caught. 2. In pursuit of (1), obfuscate your identity as much as possible. a. By using exploited systems to exploit others. b. By using exploits that do not require human interaction. 3. Exploit the weakest links: a. Poorly configured systems (and networks) that aren't adequately protected. b. Naïve users who will believe what you tell them. c. Previously exploited systems.
19 Security Page 19 Cracking skills Tuesday, December 06, :15 AM Cracking skills Anonymity: ensuring that your own physical identity is safe. Leapfrogging: using a previously exploited system to break into another. Patience: waiting (perhaps) a long time for results. Curation: filing lists of exploits, systems that can be exploited, and previously exploited systems for future use. Scanning and fingerprinting: determining lists of systems on which an exploit is likely to work. Poisoning: utilizing one exploit to set a (more deadly) trap. Track covering: hiding what you have done to a system.
20 Security Page 20 Hiding identity Sunday, December 04, :14 PM Hiding identity Your identity is as secure as the number of people who have to collaborate to discover it. Especially if those people don't get along. International discord is a cracker's best friend. Ideal scenerio Break into a system in South Korea. From there, break into a system in North Korea. From there, break into a system in the United States. I call this the "principle of social distance".
21 Security Page 21 Reverse Social Engineering Sunday, December 04, :04 PM Most sophisticated attack vector: reverse social engineering Research what software is used in the site. Fake a major distribution of the software; when installed, it breaks the system. Publish the real phone number of the vendor on the fake. Crack the victim's phone system (a weak point) and redirect the real vendor phone number to you. Send the distribution to the victim with the authentic phone number. So, victim installs software, calls vendor, gets you. At this point, you are in a near-perfect cracking situation Victim will swear that you're official; they have "proof"; they called the official number themselves! You are -- in fact -- a slimeball intent on stealing their secrets.
22 Security Page 22 Technical cracking Sunday, December 04, :04 PM Technical cracking Not the big issue in cracking. But a constant nuisance, because a bored 14-year-old can exploit a technical problem. And there are lots and lots of bored 14-year-olds!
23 Security Page 23 Three ingredients Wednesday, December 04, :34 PM Three ingredients Set of exploits Set of fingerprinted machines (they have the capabilities required by the exploit). Tools for computing fingerprints. Previously exploited machines.
24 Security Page 24 Kinds of technical cracking Tuesday, December 06, :03 PM Prevalent kinds of technical cracking Bug exploits. Dictionary attacks. Poisoning.
25 Security Page 25 What is a (technical) vulnerability? Sunday, December 04, :05 PM What is a (technical) vulnerability? Unpredictable user input provides unintentional access. Typical example: buffer overflow attack. Cause: programming that doesn't protect against arbitrary inputs. These vary in severity programs run by normal users: compromise the user account. programs run by root: compromise the system itself.
26 Security Page 26 Buffer overflow attacks Sunday, December 04, :07 PM Buffer overflow attacks Recall that each stack frame contains Local variables. Return addresses. What you might not realize is that: You can overwrite these in upper (earlier) frames from a mistake in a lower (later) frame. You can point return addresses at arbitrary code!
27 Security Page 27 gets is the root of all evil Sunday, December 04, :09 PM gets is the root of all evil gets(buf): reads to end of line, potentially past end of buffer. fgets(buf,len,stdin): reads to either end of line or end of buffer. So, why don't we just rewrite everything? Footprint: millions of lines of code. Subtlety: it is possible to embed a gets-like behavior in other code.
28 Security Page 28 Monday, December 7, :13 PM Two basic exploits stack buffer overflow: points the return value of a frame at unknown machine code. heap buffer overflow: corrupts a pointer to function to point to unknown code. Super specific: tailored to application, os, and version. dependent upon stack layout, buffer size, and many other things. Finger printing: matches super-specific hacks to super-specific systems.
29 Security Page 29 stack overflow attack Tuesday, December 06, :16 PM stack buffer overflow attack Find an input statement without buffer limit. Engineer machine code to put into the buffer. Make input long enough to overwrite the stack frame return pointer (in your frame, or in the previous (upper) one). So that on return, it executes the code you wrote rather than returning! Exploit code already in memory to pursue your attack.
30 These are the amateurs Wednesday, December 6, :01 PM The real crackers use techniques that are much more insidious. End of lecture on 12/6/2017 Security Page 30
31 Security Page 31 Buffer overflow attack vectors Tuesday, December 06, :46 PM Buffer overflow attack vectors User programs. Web sites. Network services (run as root -- yum!)
32 Security Page 32 Properties of a stack overflow attack Tuesday, December 06, :17 PM Properties of an overflow attack Application-specific: only one application. Build-specific: depends on structure of compiled program. Doesn't work if used on any other application or any other build of the same application. (Can break things). Fingerprinting is important: it determines where an exploit will work. Fingerprinting: Using a program to determine the specific configuration of a system, including installed programs and versions.
33 Security Page 33 "systems monoculture" Wednesday, December 04, :46 PM Systems tend to converge -- on a worldwide scale -- to a single build, so that being able to attack one of them makes one able to attack all of them. -- Dan Geer
34 Security Page 34 Exploiting the systems monoculture Tuesday, December 06, :19 PM Exploiting the systems monoculture Stack buffer overflow attacks exploit a systems monoculture: Everyone installs the exact same application program. If the program has a vulnerability, everyone gets that vulnerability.
35 Security Page 35 Countermeasures Tuesday, December 06, :50 PM Countermeasures for buffer overflow attacks Frequent patching for discovered overflow vulnerabilities. System fingerprinting to detect changed files. System scanning for compromised (setuid) files.
36 Security Page 36 Doctor, it hurts if Tuesday, December 06, :32 PM Doctor, it hurts if I do this Then don't do that! It isn't that simple. Millions of lines of contributed code. Indirect buffer overflows: lack of protection occurs in an unpredictable place.
37 Security Page 37 Fuzzing Sunday, December 04, :24 PM Best defense against buffer overflow: fuzz testing Generate random inputs. Classify behaviors. Identify potential overflow behaviors. See
38 Security Page 38 Heap buffer overflows Tuesday, December 06, :48 PM Heap buffer overflows: A program writes into a heap buffer. Input that is too long overwrites other structures. Including structures containing, e.g., function pointers. Result: when function pointer is invoked, the wrong function is called.
39 Security Page 39 Poisoning Tuesday, December 06, :22 PM Poisoning Use one successful exploit as the basis for another. Set up an environment in which users do one thing and have another happen. Three examples: Path poisoning DNS poisoning ARP poisoning
40 Security Page 40 Path Poisoning Tuesday, December 06, :24 PM Path Poisoning Get users to execute a malicious program by putting it into their execution paths. It is named like a regular program: a "trojan horse". Example: "ls" that isn't the real "ls". Malicious program compromises the account of the user. potentially installs still more malicious information. Paydirt: if root executes a trojan, system is compromised. You might have noticed that '.' is not in your execution path. This is why you have to execute./a.out rather than a.out. This is also why a malicious person cannot fool you into executing his own./ls.
41 Security Page 41 DNS Poisoning Tuesday, December 06, :27 PM DNS Poisoning DNS = Domain Name Service = the service that maps from internet names to internet numbers. Fool a system into calling up a malicious system instead of google.com. Malicious system tries to install malware. You think it's google, so you press "OK".
42 Security Page 42 ARP Poisoning Tuesday, December 06, :28 PM ARP Poisoning ARP = address resolution protocol = protocol that maps from internet addresses to local (ethernet) addresses. In the local network, you contact system X and get system Y. Often used to accomplish DNS poisoning by pointing at a local rogue DNS server that the cracker set up.
43 Security Page 43 Why is poisoning possible? Tuesday, December 06, :54 PM Why is poisoning possible? The internet was designed as a "trusting" system. There is no provision for establishing authenticity of a network entity. Further, this naive trust is necessary for proper network operation -- more on this in COMP112.
Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?
Jeroen van Beek 1 Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions? 2 Inadequate OS and application security: Data abuse Stolen information Bandwidth
More informationWhy bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?
Jeroen van Beek 1 Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions? 2 Inadequate OS and application security: Data abuse Stolen information Bandwidth
More informationShellbased Wargaming
Shellbased Wargaming Abstract Wargaming is a hands-on way to learn about computer security and common programming mistakes. This document is intended for readers new to the subject and who are interested
More informationCompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management
CompTIA Security+ Lecture Six Threats and Vulnerabilities Vulnerability Management Copyright 2011 - VTC Malware Malicious code refers to software threats to network and systems, including viruses, Trojan
More informationOutline. Operating System Security CS 239 Computer Security February 23, Introduction. Server Machines Vs. General Purpose Machines
Outline Operating System Security CS 239 Computer Security February 23, 2004 Introduction Memory protection Interprocess communications protection File protection Page 1 Page 2 Introduction Why Is OS Security
More informationThe Eight Rules of Security
The Eight Rules of Security The components of every security decision. Understanding and applying these rules builds a foundation for creating strong and formal practices through which we can make intelligent
More informationComputer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 04r. Pre-exam 1 Concept Review Paul Krzyzanowski Rutgers University Spring 2018 February 15, 2018 CS 419 2018 Paul Krzyzanowski 1 Key ideas from the past four lectures February 15, 2018
More informationAdvanced Systems Security: Ordinary Operating Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationETHICAL HACKING & COMPUTER FORENSIC SECURITY
ETHICAL HACKING & COMPUTER FORENSIC SECURITY Course Description From forensic computing to network security, the course covers a wide range of subjects. You will learn about web hacking, password cracking,
More informationCSE Computer Security (Fall 2006)
CSE 543 - Computer Security (Fall 2006) Lecture 22 - Language-based security November 16, 2006 URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/ 1 The Morris Worm Robert Morris, a 23 doctoral student from
More information(a) Which of these two conditions (high or low) is considered more serious? Justify your answer.
CS140 Winter 2006 Final Exam Solutions (1) In class we talked about the link count in the inode of the Unix file system being incorrect after a crash. The reference count can either be either too high
More informationProtection and Security. Sarah Diesburg Operating Systems CS 3430
Protection and Security Sarah Diesburg Operating Systems CS 3430 Definitions Security: policy of authorizing accesses Prevents intentional misuses of a system Protection: the actual mechanisms implemented
More informationModern Realities of Securing Active Directory & the Need for AI
Modern Realities of Securing Active Directory & the Need for AI Our Mission: Hacking Anything to Secure Everything 7 Feb 2019 Presenters: Dustin Heywood (EvilMog), Senior Managing Consultant, X-Force Red
More informationSecurity and Authentication
Security and Authentication Authentication and Security A major problem with computer communication Trust Who is sending you those bits What they allow to do in your system 2 Authentication In distributed
More informationAdvanced Systems Security: New Threats
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationAURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo
ETHICAL HACKING (CEH) CURRICULUM Introduction to Ethical Hacking What is Hacking? Who is a Hacker? Skills of a Hacker? Types of Hackers? What are the Ethics and Legality?? Who are at the risk of Hacking
More informationA Review Paper on Network Security Attacks and Defences
EUROPEAN ACADEMIC RESEARCH Vol. IV, Issue 12/ March 2017 ISSN 2286-4822 www.euacademic.org Impact Factor: 3.4546 (UIF) DRJI Value: 5.9 (B+) A Review Paper on Network Security Attacks and ALLYSA ASHLEY
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Homework 2 Due: Monday, February 22nd, at 11:59pm Instructions. This homework is due Monday, February 22nd, at 11:59pm. It must be submitted electronically
More informationSecurity Architecture
Security Architecture We ve been looking at how particular applications are secured We need to secure not just a few particular applications, but many applications, running on separate machines We need
More informationAdvanced Systems Security: Ordinary Operating Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationOperating systems and security - Overview
Operating systems and security - Overview Protection in Operating systems Protected objects Protecting memory, files User authentication, especially passwords Trusted operating systems, security kernels,
More informationOperating systems and security - Overview
Operating systems and security - Overview Protection in Operating systems Protected objects Protecting memory, files User authentication, especially passwords Trusted operating systems, security kernels,
More informationTexSaw Penetration Te st in g
TexSaw Penetration Te st in g What is penetration testing? The process of breaking something or using something for an unintended used case for the purpose of bettering the system or application. This
More informationKeys and Passwords. Steven M. Bellovin October 17,
Keys and Passwords Steven M. Bellovin October 17, 2010 1 Handling Long-Term Keys Where do cryptographic keys come from? How should they be handled? What are the risks? As always, there are tradeoffs Steven
More informationCOPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51
Acknowledgments Introduction Part I: The Basics in Depth 1 Chapter 1: Windows Attacks 3 Attack Classes 3 Automated versus Dedicated Attacker 4 Remote versus Local 7 Types of Attacks 8 Dedicated Manual
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 13: Operating System Security Department of Computer Science and Engineering University at Buffalo 1 Review Previous topics access control authentication session
More informationIncident Response Tools
Incident Response Tools James Madison University Dept. of Computer Science June 13, 2013 1 Introduction Being successfully attacked is inevitable. A determined hacker WILL be able to penetrate your network.
More informationProtection and Security
Protection and Security Security: policy for controlling access to system Protection: mechanism implementing security policy Why: users can do bad things to system either maliciously or unintentionally
More informationTrain employees to avoid inadvertent cyber security breaches
Train employees to avoid inadvertent cyber security breaches TRAIN EMPLOYEES TO AVOID INADVERTENT CYBER SECURITY BREACHES PAGE 2 How much do you know about cyber security? Small business owners often lack
More informationManaging IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services
Managing IT Risk: What Now and What to Look For Presented By Tina Bode IT Assurance Services Agenda 1 2 WHAT TOP TEN IT SECURITY RISKS YOU CAN DO 3 QUESTIONS 2 IT S ALL CONNECTED Introduction All of our
More informationMemory Safety (cont d) Software Security
Memory Safety (cont d) Software Security CS 161: Computer Security Prof. Raluca Ada Popa January 17, 2016 Some slides credit to David Wagner and Nick Weaver Announcements Discussion sections and office
More informationcs642 /introduction computer security adam everspaugh
cs642 computer security /introduction adam everspaugh ace@cs.wisc.edu definition Computer Security := understanding and improving the behavior of computing systems in the presence of adversaries adversaries
More informationEthical Hacking and Prevention
Ethical Hacking and Prevention This course is mapped to the popular Ethical Hacking and Prevention Certification Exam from US-Council. This course is meant for those professionals who are looking for comprehensive
More informationSecure Software Development: Theory and Practice
Secure Software Development: Theory and Practice Suman Jana MW 2:40-3:55pm 415 Schapiro [SCEP] *Some slides are borrowed from Dan Boneh and John Mitchell Software Security is a major problem! Why writing
More informationOverview. Handling Security Incidents. Attack Terms and Concepts. Types of Attacks
Overview Handling Security Incidents Chapter 7 Lecturer: Pei-yih Ting Attacks Security Incidents Handling Security Incidents Incident management Methods and Tools Maintaining Incident Preparedness Standard
More informationCSE 127: Computer Security. Security Concepts. Kirill Levchenko
CSE 127: Computer Security Security Concepts Kirill Levchenko October 3, 2014 Computer Security Protection of systems against an adversary Secrecy: Can t view protected information Integrity: Can t modify
More informationCS 642 Homework #4. Due Date: 11:59 p.m. on Tuesday, May 1, Warning!
CS 642 Homework #4 Due Date: 11:59 p.m. on Tuesday, May 1, 2007 Warning! In this assignment, you will construct and launch attacks against a vulnerable computer on the CS network. The network administrators
More informationCYBERSECURITY PENETRATION TESTING - INTRODUCTION
CYBERSECURITY PENETRATION TESTING - INTRODUCTION Introduction Pen-testing 101 University Focus Our Environment Openness and learning Sharing and collaboration Leads to Security Weaknesses What is Penetration
More informationBEST PRACTICES FOR PERSONAL Security
BEST PRACTICES FOR PERSONAL Email Security Sometimes it feels that the world of email and internet communication is fraught with dangers: malware, viruses, cyber attacks and so on. There are some simple
More informationPrinciples of ICT Systems and Data Security
Principles of ICT Systems and Data Security Ethical Hacking Ethical Hacking What is ethical hacking? Ethical Hacking It is a process where a computer security expert, who specialises in penetration testing
More informationOutline. V Computer Systems Organization II (Honors) (Introductory Operating Systems) Language-based Protection: Solution
Outline V22.0202-001 Computer Systems Organization II (Honors) (Introductory Operating Systems) Lecture 21 Language-Based Protection Security April 29, 2002 Announcements Lab 6 due back on May 6th Final
More informationLinux Local Security about Passwords and Data NZPAPER.BLOGSPOT.COM. Nz Paper Linux and Web Application Security. Zeeshan Khan 4/15/2013
1 Linux Local Security about Passwords and Data NZPAPER.BLOGSPOT.COM Nz Paper Linux and Web Application Security Zeeshan Khan 4/15/2013 2 Abstract: As Passwords and other Linux Data play an important role
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationRace Condition Vulnerability Lab
Concordia Institute for Information Systems Engineering - INSE 6130 1 Race Condition Vulnerability Lab Copyright c 2006-2012 Wenliang Du, Syracuse University. The development of this document is funded
More informationEpilogue. Thursday, December 09, 2004
Epilogue Thursday, December 09, 2004 2:16 PM We have taken a rather long journey From the physical hardware, To the code that manages it, To the optimal structure of that code, To models that describe
More informationNetwork Security (and related topics)
Network Security (and related topics) EE122 Fall 2012 Scott Shenker http://inst.eecs.berkeley.edu/~ee122/ Materials with thanks to Jennifer Rexford, Ion Stoica, Vern Paxson and other colleagues at Princeton
More informationNext Week. Network Security (and related topics) Project 3 Q/A. Agenda. My definition of network security. Network Security.
Next Week No sections Network Security (and related topics) EE122 Fall 2012 Scott Shenker http://inst.eecs.berkeley.edu/~ee122/ Materials with thanks to Jennifer Rexford, Ion Stoica, Vern Paxson and other
More information(Refer Slide Time: 1:26)
Information Security-3 Prof. V Kamakoti Department of Computer science and Engineering Indian Institute of Technology Madras Basics of Unix and Network Administration Operating Systems Introduction Mod01,
More informationCS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES
CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES Your name: SUNet ID: In accordance with both the letter and the spirit of the Stanford Honor Code, I did not cheat on this exam. Furthermore,
More informationCST8207: GNU/Linux Operating Systems I Lab Six Linux File System Permissions. Linux File System Permissions (modes) - Part 1
Student Name: Lab Section: Linux File System Permissions (modes) - Part 1 Due Date - Upload to Blackboard by 8:30am Monday March 12, 2012 Submit the completed lab to Blackboard following the Rules for
More informationEthical Hacking Series: 0x01 - Hacking Methodologies. JaxHax Makerspace Travis Phillips
Ethical Hacking Series: 0x01 - Hacking Methodologies JaxHax Makerspace Travis Phillips About Me Member of Jax Hax since it opened. Specializes in Ethical Hacking, IT Security, and penetration testing.
More informationUnix Basics. UNIX Introduction. Lecture 14
Unix Basics Lecture 14 UNIX Introduction The UNIX operating system is made up of three parts; the kernel, the shell and the programs. The kernel of UNIX is the hub of the operating system: it allocates
More informationUnderstanding the Internet
Announcements U.S. National Cybersecurity Understanding the Internet Axess Forum Bios/Photos Law School Event William J. Perry Martin Casado Keith Coleman Dan Wendlandt MS&E 91SI Spring 2004 Stanford University
More informationIt was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to
1 2 It was a dark and stormy night. Seriously. There was a rain storm in Wisconsin, and the line noise dialing into the Unix machines was bad enough to keep putting garbage characters into the command
More informationMain area: Security Additional areas: Digital Access, Information Literacy, Privacy and Reputation
Public Wi Fi Created: March 2016 Last Updated: July 2018 Estimated time: Group or individual activity: Ages: 60 minutes [10 minutes] Activity #1 [15 minutes] Activity #2 [10 minutes] Activity #3 [10 minutes]
More informationOutline. Security as an economic good. Risk budgeting with ALE. Failure: Risk compensation. Failure: Displacement activity
CSci 5271 Introduction to Computer Security Day 2: Intro to Software and OS Security Stephen McCamant University of Minnesota, Computer Science & Engineering Security as an economic good Security is a
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationCSC209. Software Tools and Systems Programming. https://mcs.utm.utoronto.ca/~209
CSC209 Software Tools and Systems Programming https://mcs.utm.utoronto.ca/~209 What is this Course About? Software Tools Using them Building them Systems Programming Quirks of C The file system System
More informationctio Computer Hygiene /R S E R ich
Computer Hygiene Protect Yourself You don't want to be part of the problem If there is a serious attack, you want your systems to be clean You rely on your systems on the air these days Packet NBEMS Logging
More informationCOS 318: Operating Systems. File Systems. Topics. Evolved Data Center Storage Hierarchy. Traditional Data Center Storage Hierarchy
Topics COS 318: Operating Systems File Systems hierarchy File system abstraction File system operations File system protection 2 Traditional Data Center Hierarchy Evolved Data Center Hierarchy Clients
More informationCSC209. Software Tools and Systems Programming. https://mcs.utm.utoronto.ca/~209
CSC209 Software Tools and Systems Programming https://mcs.utm.utoronto.ca/~209 What is this Course About? Software Tools Using them Building them Systems Programming Quirks of C The file system System
More informationSPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006
SPOOFING Information Security in Systems & Networks Public Development Program Sanjay Goel University at Albany, SUNY Fall 2006 1 Learning Objectives Students should be able to: Determine relevance of
More informationHow to Break Software by James Whittaker
How to Break Software by James Whittaker CS 470 Practical Guide to Testing Consider the system as a whole and their interactions File System, Operating System API Application Under Test UI Human invokes
More informationIntroduction to Security and User Authentication
Introduction to Security and User Authentication Brad Karp UCL Computer Science CS GZ03 / M030 14 th November 2016 Topics We ll Cover User login authentication (local and remote) Cryptographic primitives,
More information18-642: Security Mitigation & Validation
18-642: Security Mitigation & Validation 11/27/2017 Security Migitation & Validation Anti-Patterns for security mitigation & validation Poorly considered password policy Poorly considered privilege management
More informationthe bounds of ethical hacking and it only works if the other person is foolish enough to fall prey. Well, I am talking about Z Shadow Hacker here
How to hack gmail Just in case all of Gmail Hacker Pro's features and how easy hacking a Gmail password with it is are not enough to convince you to give it a go we decided to sweeten the deal further.
More informationInstructor: Eric Rettke Phone: (every few days)
Instructor: Eric Rettke Phone: 818 364-7775 email: rettkeeg@lamission.edu (every few days) Fall 2016 Computer Science 411 - Principles of Cyber Security 1 Please keep a copy of the syllabus handy for the
More informationHacking: Ultimate Guide To Ethical Hacking For Beginners PDF
Hacking: Ultimate Guide To Ethical Hacking For Beginners PDF No Nonsense, No Filler, and Straight to the Pointâ â â 60 Day Money Back Guarantee! â â â Hacking is an art and you can do it for fun, disruption
More informationCIS Operating Systems File Systems Security. Professor Qiang Zeng Fall 2017
CIS 5512 - Operating Systems File Systems Security Professor Qiang Zeng Fall 2017 Previous class File and directory Hard link and soft link Mount Layered structure File system design Naïve: linked list
More informationSECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi
SECURITY ON PUBLIC WI-FI New Zealand A guide to help you stay safe online while using public Wi-Fi WHAT S YOUR WI-FI PASSWORD? Enter password for the COFFEE_TIME Wi-Fi network An all too common question
More informationLEARN READ ON TO MORE ABOUT:
For a complete picture of what s going on in your network, look beyond the network itself to correlate events in applications, databases, and middleware. READ ON TO LEARN MORE ABOUT: The larger and more
More informationProgramming Project # 2. cs155 Due 5/5/05, 11:59 pm Elizabeth Stinson (Some material from Priyank Patel)
Programming Project # 2 cs155 Due 5/5/05, 11:59 pm Elizabeth Stinson (Some material from Priyank Patel) Background context Unix permissions model Prof Mitchell will cover during OS security (next week
More informationBitcoin, Security for Cloud & Big Data
Bitcoin, Security for Cloud & Big Data CS 161: Computer Security Prof. David Wagner April 18, 2013 Bitcoin Public, distributed, peer-to-peer, hash-chained audit log of all transactions ( block chain ).
More informationSecure Programming I. Steven M. Bellovin September 28,
Secure Programming I Steven M. Bellovin September 28, 2014 1 If our software is buggy, what does that say about its security? Robert H. Morris Steven M. Bellovin September 28, 2014 2 The Heart of the Problem
More informationApplication Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.
Application Layer Attacks Application Layer Attacks Week 2 Part 2 Attacks Against Programs Application Layer Application Layer Attacks come in many forms and can target each of the 5 network protocol layers
More informationThreat Modeling. Bart De Win Secure Application Development Course, Credits to
Threat Modeling Bart De Win bart.dewin@ascure.com Secure Application Development Course, 2009 Credits to Frank Piessens (KUL) for the slides 2 1 Overview Introduction Key Concepts Threats, Vulnerabilities,
More informationCISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline
CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker Learn to find security vulnerabilities before the bad guys do! The Certified Ethical Hacker (CEH) class immerses students in an interactive environment
More informationCEH: CERTIFIED ETHICAL HACKER v9
CEH: CERTIFIED ETHICAL HACKER v9 SUMMARY The Certified Ethical Hacker (CEH) program is the core of the most desired information security training system any information security professional will ever
More informationAges Donʼt Fall for Fake: Activity 1 Don t bite that phishing hook! Goals for children. Letʼs talk
Ages 11-14 Donʼt Fall for : Activity 1 Don t bite that phishing hook! Children play a game where they study various emails and texts and try to decide which messages are legit and which are phishing scams.
More informationComputer Network Vulnerabilities
Computer Network Vulnerabilities Objectives Explain how routers are used to protect networks Describe firewall technology Describe intrusion detection systems Describe honeypots Routers Routers are like
More informationSpam Protection Guide
Spam Email Protection Guide Version 1.0 Last Modified 5/29/2014 by Mike Copening Contents Overview of Spam at RTS... 1 Types of Spam... 1 Spam Tricks... 2 Imitation of 3 rd Party Email Template... 2 Spoofed
More informationSysSec. Aurélien Francillon
SysSec Aurélien Francillon francill@eurecom.fr https://www.krackattacks.com/ https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-ofhigh-security-keys-750k-estonian-ids/
More informationWho We Are! Natalie Timpone
Who We Are! Natalie Timpone Manager of Security Business Management Office Enterprise Security Awareness Manager Carmelo Walsh Security, Risk, and Compliance Security Awareness Subject Matter Expert Who
More informationMODULE NO.28: Password Cracking
SUBJECT Paper No. and Title Module No. and Title Module Tag PAPER No. 16: Digital Forensics MODULE No. 28: Password Cracking FSC_P16_M28 TABLE OF CONTENTS 1. Learning Outcomes 2. Introduction 3. Nature
More informationStorage and File System
COS 318: Operating Systems Storage and File System Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall10/cos318/ Topics Storage hierarchy File
More informationCS 326: Operating Systems. Process Execution. Lecture 5
CS 326: Operating Systems Process Execution Lecture 5 Today s Schedule Process Creation Threads Limited Direct Execution Basic Scheduling 2/5/18 CS 326: Operating Systems 2 Today s Schedule Process Creation
More informationCreate strong passwords
Create strong passwords Passwords are the first line of defense against break-ins to your online accounts and computer, tablet, or phone. Poorly chosen passwords can render your information vulnerable
More informationInstructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.
Instructions 1 Elevation of Privilege Instructions Draw a diagram of the system you want to threat model before you deal the cards. Deal the deck to 3 6 players. Play starts with the 3 of Tampering. Play
More informationHacking Terminology. Mark R. Adams, CISSP KPMG LLP
Hacking Terminology Mark R. Adams, CISSP KPMG LLP Backdoor Also referred to as a trap door. A hole in the security of a system deliberately left in place by designers or maintainers. Hackers may also leave
More informationA (sample) computerized system for publishing the daily currency exchange rates
A (sample) computerized system for publishing the daily currency exchange rates The Treasury Department has constructed a computerized system that publishes the daily exchange rates of the local currency
More informationGuide to Network Security First Edition. Chapter One Introduction to Information Security
Guide to Network Security First Edition Chapter One Introduction to Information Security About the Presentations The presentations cover the objectives found in the opening of each chapter. All chapter
More informationCyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX
Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security HTML PHP Database Linux Operating System and Networking: LINUX NETWORKING Information Gathering:
More informationLecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.
15-441 Lecture Nov. 21 st 2006 Dan Wendlandt Worms & Viruses Phishing End-host impersonation Denial-of-Service Route Hijacks Traffic modification Spyware Trojan Horse Password Cracking IP Spoofing DNS
More informationCh 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated
Ch 1: The Mobile Risk Ecosystem CNIT 128: Hacking Mobile Devices Updated 1-12-16 The Mobile Ecosystem Popularity of Mobile Devices Insecurity of Mobile Devices The Mobile Risk Model Mobile Network Architecture
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationHow NOT To Get Hacked
How NOT To Get Hacked The right things to do so the bad guys can t do the wrong ones Mark Burnette Partner, LBMC -Risk Services October 25, 2016 Today s Agenda Protecting Against A Hack How should I start?
More informationCase Study: Access Control. Steven M. Bellovin October 4,
Case Study: Access Control Steven M. Bellovin October 4, 2015 1 Case Studies in Access Control Joint software development Mail Steven M. Bellovin October 4, 2015 2 Situations Small team on a single machine
More informationIn this unit we are continuing our discussion of IT security measures.
1 In this unit we are continuing our discussion of IT security measures. 2 One of the best security practices in Information Security is that users should have access only to the resources and systems
More informationPHISHING ATTACKS: 9 BAD HABITS MALICIOUS S LOVE. Proactive IT Solutions.
PHISHING ATTACKS: 9 BAD HABITS MALICIOUS EMAILS LOVE Proactive IT Solutions www.netrixit.com P2 PHISHING ATTACKS: 9 BAD HABITS MALICIOUS EMAILS LOVE A business professional without an overactive, overflowing,
More information