Security Everywhere - Sprint data breach

article: Daily News Roundup: Sprint Got Hacked Through Samsung

https://www.howtogeek.com/fyi/daily-news-roundup-sprint-got-hacked-through-samsung/

This article talks about the data breach that the telecommunication company Sprint experienced. The attack went through Samsung’s website however. The article explains that since Samsung sells phones on its website, it works with carriers directly to offer financed prices. A hacker took advantage of the connection between Samsung and Sprint to break into customers’ accounts and steal personal information including phone numbers, device type, device ID, monthly charges, subscriber ID, account number, account creation date etc.

Security Everywhere - Cyber Attack on those investigating Russian Intelligence

Article: Cyber attack hits email users probing Russian intelligence

https://www.ft.com/content/876fb2d8-af92-11e9-8030-530adfa879c2

“One of the world’s most secure email services has been caught up in a sophisticated cyber attack aimed at investigative journalists and other experts who are probing Russian intelligence activities.“ 

This article explains the cyber attacks carried out on those who used the Swiss-based email service ProtonMail. The people that used it shared sensitive information related to their probes of Moscow’s military intelligence directorate, the GRU.

Security Everywhere - Huawei Ban

Article: THAT GLOBAL BAN ON HUAWEI? NOT SO MUCH ANYMORE

https://www.wired.com/story/global-ban-huawei-not-so-much/

This article talks about the Chines telecom giant, Huawei and its ban. The US government warned that Huawei isn’t to be trusted. As we know, Australia and Japan have blocked Huawei gear from their next-generation 5G wireless networks. The UK government however rejected the proposal for the ban saying that there aren’t any “technical grounds for excluding Huawei entirely from the UK's 5G or other telecommunications networks”. A UK member of parliament says that even though there may not be any technical reasons for the ban, there may be ethical reasons to do so. He cites an Australian Strategic Policy Institute report that Huawei supplied equipment to surveil Uyghur Muslims in Western China. The UK government further blames the company saying  there’s issues with the company's "basic engineering competence and cyber security hygiene."

“Opening its code to government inspections is part of Huawei's strategy to regain trust around the world. The company opened its Brussels Cyber Security Transparency Centre last March to help assure EU institutions that its products are safe to use.” I think this is absolutely necessary for Huawei to do in order to return functioning as a trusted company.

Week 7: Tutorial & Module 7

Case Study Should the government or government agencies collect and have access to your data for good purposes, or should citizens, e.g. you, have a right to privacy which stops them?

Reasons for • Anti-terrorism • Child protection • Government surveillance is slowly becoming a normality • Why do we care so much about our privacy? • Our democracy - representative democracy John bercow - order order

Readings: 2019 - Facial Recognition to Replace Opal Cards • opposition and digital rights groups say it would pose a risk to privacy. • envisioned something similar to Amazon’s “Just Walk Out” technology • “In the transport space we’ll use facial recognition technology to scan customers who’ve ‘opted in’ and linked their Opal account,” • Labor's transport minister -" The data collected would be of enormous commercial value to whomever owned it." • “NSW taxpayers should not be used by their own government to make money. This government cannot be trusted with this sort of technology.” • “People have a right to expect a certain level of privacy when navigating public spaces, and must have trust that governments are taking appropriate action to protect that privacy.” 2019 - AFR discusses Facial Recognition - Facial recognition is about to end your privacy. How do you feel about that? • Alibaba FlyZoo Hotel in Huangzhou uses face scan to enter room, get to right floor etc. • Taylor Swift deployed facial recognition secretly at a concert to detect stalkers • In New Delhi 3000 missing children were found • More widely, object recognition and analytics can count the number of people in areas for safety or logistical reasons, detect criminal behaviour, trespassers and vandals, and spot accidents, speeding, jaywalkers, flytipping, loitering, the homeless, and more.

Tutorial Canary • Detects a buffer overflow before a malicious code is executed RSA 

• Key generating algorithm • Involves a public and private key • https://simple.wikipedia.org/wiki/RSA_algorithm

Block cipher modes • Key is x or'd with the plain text to produce cipher text

• ECB encryption gives a predicted output • While CBC encryption gives a more randomised output • CBC - When would you use encryption? Verifying input and output, being able to reverse it. You don't want the encryption to be the same for the same inputs. Therefore IV should be randomised • When would you use hashing? You want the hash to be the same thing if the input is the same. Thus the initialising vector needs to be the same

Format String 

• Printf("%d\n"); when this is called • Printf(userinput) printing a string directly will expose vulnerabilities Printf("%s", userinput)  is the correct way Python -c print function | ./runfile

Week 7: Lecture Notes

Lecture 1: • Use encryption for confidentiality. How can we share a secret with 2 people from other sides of the world • Diffie Hellman and authentication ○ Key exchange algorithm ○ Gives us shared secrets • Discrete log problem - it's very hard to find original number, if you raise the base to a particular power and then take the last few digits This could be used to establish an RSA key

• Vulnerability - potential weakness within something • Exploit - takes advantage of this^ ○ Shell code ○ Nop sleds • Software Bug - types ○ memory corruption § Eg. Integer overflow. Integers are stored with a fixed amount of allocated space. If you keep incrementing this, it'll keep taking up space. Sometimes this number can get to big and then wrap around, starting from a small number again. This is one way of doing a memory corruption attack ○ buffer overflow - simplest form of memory corruption ○ the stack and the heap ○ how functions are called in C ○ format string • Stack - first in, last out. Temporary information about function stored in stack ○ Eg. In C, using printf("Richard%s"), without the second argument. It'll look for the second argument in the stack. ○ Read up %n attacks • Heap stores dynamic variables as these change a lot and would be hard to store in stack.

Responsible disclosure - let the person know they have a vulnerability instead of abusing it

Assets - Need to figure out what is it you're trying to protect before actually protecting it. It's easy to protect the wrong thing • Make yourself familiar with all the standards and be aware of vulnerabilities.

Valuing the Assets - Defining what is important • Tangible Assets: Those that are easily given a value ○ A gold chain valued at some relatively static amount ○ The jewellery in a jewellery store. • Intangible Assets: These cannot be easily and objectively be value ○ Employee Morale & Security ○ Customer information ○ Company secrets ○ Availability of services • * Monetary + psychological/emotional costs • * Difficult <> Don't do ○ Examples: ○ Company secret - what is at stake? ○ QOS Guarantees

Lecture 2:

Presentation: Bug Bounties

Where to start Hunting? • Crowd-sourced bug bounty website • Bug crowd ○ Open to public

Tips to get started • Learn web application principles • Look for wider scope and less competition ○ Increase number of bugs ○ Less likelihood of dupes • Stay in scope • Look for assets which have changed recently • Look for publicly disclosed reports • Start at comfortable difficulty • Work towards your skills • Teamwork

Process of Bug Bounty 1. Find a suitable program 2. Review the scope 3. Find the target via recon 4. Hit target and find vulnerability 5. Write a report 6. Submit the report to the company

Training resources • Hacker101 ○ Sql injections ○ Password management Fuzzing • Eg of fuzzing software - afl • Technique used to look for bugs • Have program and repeatedly feed it input and observe if any bugs are produced Different types of fuzzers: 1. Multination-based vs generation based 2. Aware of input size… • The Heartbleed bug

Presentation: Pen Testing

Pen Testing • Detect vulnerabilities and expose them • Is an authorised simulated cyberattack on a computer system to evaluate risks Repercussions of an attack on your security system Why it is important • It allows us to discover vulnerabilities in our system before attackers do • It can test your security controls (firewalls, ips, ids) • Sometimes thinking like an attacker is the best way Practical uses of pen testing • Gives coverage to companies without getting hacked • Get ahead of the curve Stages of pen testing • Recon - intelligence is gathered • Planning • Exploitation • Post exploitation Pen testing tools • Metasploit • Gobuster • Burb • Wireshark - analysing ne • twork connections • Nnmap • Kali - package has tools like info gatherinr, reverse engineering, reporting tools, password attacks, maintaining access, exploitation tools, forensics tools, wireless attacks • Burpsuite - most popular software used to test sofware CTF Websites Pwnable.com can be used to practise

read up about the NSW LPI and think about what assets they have and what risks arise from them having been privatised  eg https://en.wikipedia.org/wiki/New_South_Wales_Land_and_Property_Informat

• Shared secret - when the person that needs to be authenticated and the person is authenticated have a secret between them. This can be used to authenticate. Eg. A certain code word • Problem with authentication - if computer has been preloaded with shared secrets and these secrets have been used once, then that's a problem • How can you detect and protect against the man in the middle? • Web of trust (PgP) and PKI. (check out how PGP does authentication using web of trust) PKI • Links your public key to usually a web domain. It's certified to something that everyone trusts • SSL/TLS • Read Bruce Schneir's paper • Certificate authority ties the key to a domain name. it doesn't tie the key to anyone in the world

Look up how the TLS handshake works - look up a simple rsa version

Something Awesome: post #5

Eaves dropping attack

occur through the interception of network traffic

attacker can obtain passwords, credit card numbers and other confidential information that a user might be sending over the network

it can be either:

passive  - A hacker detects the information by listening to the message transmission in the network

active - A hacker actively grabs the information by disguising himself as friendly unit and by sending queries to transmitters. This is called probing, scanning or tampering

Data encryption is the best countermeasure for eavesdropping.

Week 6: Tutorial & Module 6

Case Study - Cyber Warfare. Australia and Russia war • Financial institutions could be targeted

As Attackers: What are we attacking? • Psychological warfare ○ Propaganda ○ People ○ Differences in ethnics • Cut the internet • Holding cyber institutions ransom • Stuxnet 2.0 attack - Russia was hit by this • Take down the satellites • Screw with traffic • EMP - electromagnetic pulse. Overload circuits and shut down everything electronic • Target the allies • Coding practices can be determined based on coding styles As Defenders: What are we protecting/defending? What assets and resources? • State sponsored news source • Propaganda may not work as other countries may reveal more information in their news ○ Social media • Work with social media. The youth often get their news from social media • Close networks and anything industrial • Have some sort verification to detect whether a person of suspect is an Australian citizen

10 most common cyber-attack types:

• Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks ○ Overwhelms a system's resource so that it can't respond to service requests ○ Attack on system's resources, launched from a large number of other host machines that are infected by malicious software controlled by the attacker • Man-in-the-middle (MitM) attack ○ occurs when a hacker inserts itself between the communications of a client and a server • Phishing and spear phishing attacks ○ practice of sending emails that appear to be from trusted sources with the goal of gaining personal information or influencing  users to do something. It combines social engineering and technical trickery. It could involve an attachment to an email that loads malware onto your computer. It could also be a link to an illegitimate website that can trick you into downloading malware or handing over your personal information. • Drive-by attack ○ Common method of spreading malware ○ Hackers look for insecure websites and plant a malicious script into HTTP or PHP code on one of the pages. This script might install malware directly onto the computer of someone who visits the site, or it might re-direct the victim to a site controlled by the hackers. • Password attack ��� Brute force or dictionary attack • SQL injection attack ○ SQL injection has become a common issue with database-driven websites. It occurs when a malefactor executes a SQL query to the database via the input data from the client to server. SQL commands are inserted into data-plane input (for example, instead of the login or password) in order to run predefined SQL commands. A successful SQL injection exploit can read sensitive data from the database, modify (insert, update or delete) database data, execute administration operations (such as shutdown) on the database, recover the content of a given file, and, in some cases, issue commands to the operating system. • Cross-site scripting (XSS) attack ○ XSS attacks use third-party web resources to run scripts in the victim’s web browser or scriptable application. Specifically, the attacker injects a payload with malicious JavaScript into a website’s database. When the victim requests a page from the website, the website transmits the page, with the attacker’s payload as part of the HTML body, to the victim’s browser, which executes the malicious script. • Eavesdropping attack ○ Passive or active • Birthday attack ○ Birthday attacks are made against hash algorithms that are used to verify the integrity of a message, software or digital signature. A message processed by a hash function produces a message digest (MD) of fixed length, independent of the length of the input message; this MD uniquely characterizes the message. The birthday attack refers to the probability of finding two random messages that generate the same MD when processed by a hash function. • Malware attack ○ Malicious software can be described as unwanted software that is installed in your system without your consent.

Buffer Overflow

• Stack grows up when you're storing and back down when you are using it • Last in, first off • If we were to initialise an array - The data inside the array grows in the opposite direction to the stack • If the string isn't terminated by a NULL character, it'll keep reading from memory • The buffer is the space allocated to store the array • A buffer overflow is when we overflow this buffer Problem of mixing data and control - fix this by overwriting return address

Week 6: Lecture Notes

Lecture 1: IV - initialisation vector - when an algorithm deals with a sequence of things • eg wep has 40 bit key and 24 bit IV Mixing Data and Control

Buffer Overflow • Inside every computer is a central processing unit • Stacks are used to store local data • In the case where programs freeze, the running programs store data in the stack. This makes running programs much faster • That memory contains a lot of control information. A pointer to the next instruction, this instruction is carried out when the system wakes up again • Concept of return address

Proof of Work • It's the friction that makes security work Moore's Law - gordon moore intel ceo 1965 1 / 1.5 / 2 • Noticed that the number of transistors double every year and that the compute power and speed increased (roughly doubled every 18 months). Thus every 18 months you'd lose a bit of security RSA • Works because it’s a hard mathematical problem, decrypting is hard for the attacker to carry out.

Lecture 2: Web (Presentation) How the Web Works • An HTTP cookie as a small piece of data… • Web apps send users a cookie with a unique • Reflected XSS occurs when • Proof of Concept - Samy is my Hero

• Cross site request forgery ○ Primary mitigation is with tokens ○ Important: If a website has XSS vulnerabilities, C

Cryptocurrency (Presentation) What is it? • Digital currency, no physical • No third party is needed to authorise it • Quick transactions

• Proof of work depends on the n Bitcoin • Most popular crypto currency created in 2009

• Blockchain doesn't have a strong concept of identity - (public, private) key pairings • Doesn't exempt transactions from tracing • Two main ways: ○ Relations between addresses - 'inferring' identity ○ Interactions between nodes and users Case Study - Monero • Unlinkability -> 'stealth addresses' with 'view' keys • Transaction mixing -> ring signatures • Concealing transaction amounts -> RingCT signatures • Hiding source IP and blockchain usage -> The Kovri Project

• Asymmetric ciphers22 - Southern California earthquakes hit news anchors • Read about Block Modes - only need to learn ECB, CBC, CTR

Authentication • Identifying for who?  computer/human? • facebook, police, baggage screening • auth and ident - what is the difference? • what decisions? • The computer has to make a decision (not helping the human make a decision). Can we have a computerised authentication system. ○ Eg withdrawing money from an atm, facebook • The authentication problem is a big one • How we solve authentication these days? Factors ○ Something you know § requires you to have kept a secret but this can often be worked out/guessed cracked/found. Hard to prove no one else knows it ○ Something you have ○ Something that you are

Week 5: Tutorial & Module 5

Tutorial: WEP - Wired Equivalent Privacy • Released in 1999 and broken in 2001

Hash collision   • when 2 things hash to the same thing Preimage attacks • The ability for the hashing algorithm the resistance of being reversed • Not wanting an attacker to reverse the hash to find out the plaint text • Want preimage resistance in passwords 2nd Preimage attacks • Having a document hashed and not wanting the same document to be hashed differently. Creating a 2nd document knowing the first document and its hash • Preimage attack on a 2nd document

MD5 & SHA1 - Types of attack

Bits of information you need to identify someone - possible to identify someone with 3 pieces of data - name, DOB etc.

Digital Signatures

Length extension attacks • Avoid a length extension attack by hashing again • The key hashing is used a form of authentication • Why we should use HMACS? What CIA principles does HMAC correspond with? • Adding another plain text by knowing the previous plain text and hash, allows to create another hash

Mixing Data and Control • If the user controls the data, the user controls the control • Ejection attacks are usually a mix of data and control • It causes many security vulnerabilities • Eg. Having the admin enter the admin username and entering an SQL statement as the password can mean anyone can get in

• Difference between bits of work and bits of security: ○ Bits of security - from a defenders point of view. How many bits of work it takes to break in ○ Bits of work - how many bits of work it actually takes to do the work *Complete Modules 3, 4, 5

Avg computer can do 40 bits of work per second 2^10 = 1,024  approx 1,000 2^20 = 1,048,576  approx 1,000,000

Case Study - Giggle self-driving cars

• Assets of company ○ Data stored, storage of information. Eg. Geographical information ○ People, privacy ○ Reputation ○ Intellectual property ○ Public safety • Risks ○ External control of car ○ Weather ○ Ethical decisions ○ Liability ○ Reputation of company ○ Impact of human drivers. The AI is proven to be safer • Solutions ○ Impose laws and regulations ○ Require hospitals to be alerted in the event of a crash ○ Employment of taxi drivers - have a limit of number of cars. Have someone backing up the system ○ Have authentication like facial recognition for person entering the car ○ Requirements for physical safety of the car ○ Collab between government and industry to develop laws

Something Awesome: post #4

Cross-site scripting (XSS) attack

XSS attacks use third-party web resources to run scripts in the victim’s web browser or scriptable application

attacker injects a payload with malicious JavaScript into a website’s database 

When the victim requests a page from the website, the website transmits the page, with the attacker’s payload as part of the HTML body, to the victim’s browser, which executes the malicious script.

it might send the victim’s cookie to the attacker’s server, and the attacker can extract it and use it for session hijacking

The most dangerous consequences occur when XSS is used to exploit additional vulnerabilities.

These vulnerabilities can enable an attacker to not only steal cookies, but also log key strokes, capture screenshots, discover and collect network information, and remotely access and control the victim’s machine

Week 5: Lecture Notes

Lecture 1: https://www.openlearning.com/courses/securityengineering19t2/notes/slides05/ • Forensics - every contact leaves a trace • Stream of bits ○ Bits of combined to make cipher using X or - exclusive or, one or the other of the statements are correct but not necessarily both. If you X or something twice, you get back to the original ○ Access point sends it to the laptop, laptop sends it back to access point, access point sends it to the world. Access points purpose is to mediate the transmission to the outside world ○ 1111011011001 10101110 01011000 <- X or'd ○ RC4 is flawed though ○ TCP/IP § Ip address of who sent the message and who is receiving. This is at the front of the packet

• Hashing ○ MD5 - Message Digest. First serious hashing function. MD4 had too many flaws. But MD5 was also found to have flaws. § Broken - someone was able to break into it faster that brute force

Lecture 2: Presentation from 6841: • OPSEC ○ If you don't need to share information, don't ○ go • Avoid sharing information. Only share information on a need-to-know basis • Beware social media • Metadata • Minimise indicators - expensive clothes, carrying tools • No information is still information • Hard strike the right balance • Keeping your identity secret ○ Remain anonymous or set up a false identity to hide your tracks § Tor, tails, VPNs, public Wifi • Be forgettable ○ Blend in with everyone else ○ If you stand out, you will be remembered and monitored • Case Studies ○ Harvard Bomb Threat ○ Silk Road - an anonymous marketplace to buy and sell anything 'non-harmful' Presentation 2: • Passwords can be broken • Password crackers - john the ripper, kali • Why are passwords bad? ○ Hard to remember good ones, hard to type ○ Complicated rules for generation ○ Regular password renewal creates user generated patterns ○ Little incentive to create unique passwords § Low probability, high risk • Password storage ○ Do not store in plain text - plaintextoffenders.com/offenders § Foxtel, facebook etc. ○ Mostly small to medium sized companies ○ Facebook stored some in plain text which many employees got a hold of ○ Bad hashing ○ Rainbow tables are designed to match passwords ○ Linkedin hack - passwords were leaked ○ Sha-1 reverse used to crack hash for passwords. Sha1 or md5 aren't very good hashes as these can just be googled ○ John the ripper can be used to crack passwords • Salt ○ Like an initialising vector. ○ It gets added to your password and then is hashed. The salt is plain text and is no secret ○ add a random string to the end of the password and this is then hashed ○ This is to ensure that 2 people with the same passwords don't have the same hashed result ○ Linkedin didn't add a salt to their passwords which is why they could be cracked easily ○ Salt can't be too short and the same one shouldn't be used for multiple passwords • Make your passwords stronger ○ Strong encryption method like a hashing function like sCrypt ○ Future: biometric alternatives? ○ Long without english grammar patterns ○ Passphrases, wacky lexicon ○ Don't do password hints ○ Limit the number of failed login attempts ○ Use multi-factor authenticaiton • Common password demo ○ Haveibeenpwdned.com/Passwords

• Merkle Damgard construction MAC = h(key|data)

• Collision attacks are relatively easy compared to other attacks ○ Digital signatures can be moved from one document to another if they have the same hashes • Data Breaches. Password files were hacked in which bad hashes like md5 were used ○ Ashley Maddison ○ Office of personal management ○ Facebook , Linkedin

Key Stretching • Instead of using md5, use a custom function. Its designed to be a really slow cryptographic function

1996 was when md5 was known to have flaws but people kept using it. 2005 used to generate fake X.509 certificate 2006 collision on notebook computer in under 1 minute 2008 "MD5 considered harmful today, creating a rogue CA certificate"

Something Awesome: post #3

Phishing Attacks

One of the attacks I looked into was Phishing Attacks. After reading about this I realised it was an attack I had come across and heard a lot about but just didn’t know the name of. From what I understand Phishing is:

The practice of sending fraudulent communications that appear to come from a reliable source

usually carried out through email

goals:

 is to steal sensitive data like credit card and login information 

to install malware on victim’s machine

increasingly common cyber threat

combines social engineering and technical trickery

it’s important to know how to recognise a phishing email

Techniques to reduce the risk of being the victim of a phishing attack:

critical thinking - analyse the email before accepting it or clicking pn any links etc

hover over links - move mouse over link but don’t click it. This allows you to check where the link would actually take you and decipher the URL

analysing email headers - email headers define how an email got your address. The “Reply-to” and “Return-Path” parameters should lead to the same domain as is stated in the email.

Sandboxing - you can test email content in a sandbox environment, logging activity from opening the attachment or clicking the links inside the email.

Week 4: Tutorial & Module 4

Tutorial:

• Entropy - amount of organised information in the system. Randomness is the amount of disorganisation • Password managers are useful • Linux and windows passwords are stored on the hard drive in a folder /etc/shadow • Concept of 'who watches the guards, who watches the watchers' and how is an authoritarian government prevented? • Hashing and HMAC ○ Take a variable amount of some sort of data and it condenses into some file ○ Md5sum is a type of hash. It always produces a 32 character result ○ Hash collision - tiny chance that the exact same hash is used for two different files. Therefore if 2 hashes are different - the files are different. If 2 are the same, it is most LIKELY that the files are the same ○ Fingerprints ○ $6$salt$hash ○ HMAC § Take a plain text and the key and hash both of them § Good for authentication and integrity § Send the plain text + the hash. This doesn't provide confidentiality. For confidentiality, encryption is better or normal MAC • Bits of Security ○ Eg. 1000 hashes 50% found in 1,000,000 12 bits of work to hash one plain text How many bits of work will it take to discover 500 easy passwords? § You could take the million passwords and hash them all § 2^32. 32 bits of work • Burpsuite - packet interception tool. All packets go through a proxy. It intercepts your own traffic

Case Study - 'Secret':

'Google is setting up research lab somewhere near UNSW for a team developing an exciting new secret Google project. You need to design the physical site security. List main things you need to protect for the new office. List three key features of your security design.' ○ Research lab needs to be password or passcode protected ○ Authentication and authorisation. Making sure correct identities with right authorities have access to research lab ○ Need to protect research data/content and members'/employees' information, any physical material inside research lab. Unreleased works in progress. Access to the building, network. ○ Key features of security design - no signage to indicate what the physical structure or building is, swipe cards to enter site/passcode or both?, Fingerprint scanners for authentication? ○ Layers of security. Security makes it harder for the attackers to break in but don't make it the only thing you're relying on

○ Key assets - the people, information - computers/files, the site itself, material objects

○ How - design of building, blend in to environment, multiple levels, multiple sections, make sure exits are accessible especially in an emergency Who are you protecting against - attackers from outside, insider threats. (don't bother protecting against nation states ie. USA, Russia etc.)

Week 4: Lecture Notes

Lecture 1: • Shim is used to defeat a padlock by pushing the latch • Most difficult risk for a security engineer to analyse - Low probability, High impact • 1000 is 10 bits ○ Roughly 7 bits in 100 • Brute force is the slowest way to break into something • Hashing - summarise one thing with another thing in a very small amount of information. Something possibly large, uses its bits and turns into smaller thing ○ Hash Collision - Duplicates - flaw called hash collision. Needs to be set up so that the chance of getting this collision is low and the amount of work and time that has to be put in is a lot ○ Primage attack - you have no plain text and you're trying to find one ○ 2nd Preimage attack - one plain text and find 2 ○ deterministic ○ Hash function - same results every time ○ Eg. Everyone is identified with a card § If enrolled in 6841 - black suit, if 6441 - red suit § Post grad - heart or spade § King is 0, ace is 1, jack is 11 etc. § Birthday/13 the remainder is what number you are ie. mod 13 □ 8 of diamonds - this can't be changed (unless enrolment or DOB is changed) § Convenient as card can just be checked as opposed to name, student number etc. but you can have duplicates. The amount of information in a hash is less. ○ Cryptographic Hash functions § Deterministic § Fast way, infeasibly slow the other § Avalanche property § Hard to find two messages with the same hash □ Otherwise it's easy to break. If you find a collision, it can be easy to defeat • The Birthday Attack (or birthday paradox) ○ Getting a double of 2 people with the same birthdays is more likely than you think ○ Chance of having a collision is 50/50 once the size of your sample is the square root of your hash size ○ Problem with hash function - clustering in data (more people doing 6441) leads to clustering in hash function ○ Think about how to solve the telegraph problem with a hash function. How can we use a hash to stop someone from fiddling with the message

Lecture 2: • Security and social engineering is about human weakness • FOI - limit by type of information you want, don't be too general • Desired resistance against attacks ○ Preimage attack: given h(M) find M ○ 2nd preimage resistant: given M find M' where h(M)=h(M') ○ Collision resistant: find any two messages M M' where h(M) = h(M') • Examples of uses: ○ MAC - Message Authentication Code. Provides authentication ○ Commitment ○ Proof of work ○ Passwords - important ○ Fingerprints - important

Something Awesome: post #2

I went online to research the most common types of cyber attacks and which ones allow hackers to obtain personal data from users. I found out that some common ones were:

Phishing Attacks

Malware Attacks

Denial-of-service (DOS) and distributed denial-of-service (DDoS) attacks

Password Attack

Cross-site scripting (XSS) attack

Eavesdropping attack

Birthday attack

SQL injection attack

Man-in-the-middle attack

Drive-by attack

I did some brief reading on each of these attacks and over the week narrowed them down to a few which I would then blog about.

Week 3: Tutorial & Module 3

Tutorial:

• Corruption and greed is an inherent human weakness • Separation of Power - Law enforcement, courts unbiased, governmental system creates the laws • M&M concept - if there's one dent in the outer shell, you've got access. ie. someone on the inside • Nothing is secure, you can always brute force. Security is about to make it difficult to get secrets not about making mathematically unbreakable • Cryptograms.puzzlegram • EXAM - WEEK 5 SATURDAY ○ Whichever is higher - Mid sem exam or part A of final exam • RFID tagging • Pen testing - hackerbox. Bash and python are most useful for this. Exploits are done in python. Bash is versatile.

Case Study: Doors on Planes:

Analysis Question - produce a shortlist of recommendations for actions to be taken to prevent future disasters:

• Both Pilots should have master code that should override any lock unique to each flight

• Install bathroom and kitchen in cockpit

• Stricter and regular - Psychiatric testing for pilots

• Communication to ground at all times - External contact with ground control with people outside of cockpit at all times

• Reinforce rule that one pilot should always stays in the cockpit

• Air lock system - 2 doors 

• Splitting power - cabin jury

• Extra people on board who know how to fly

• Automation - AI to fly the plane

• Can't give control to just one type - dictatorship

Protecting against outsider and insider threats at the same time is hard. Similar to Type 1 and type 2 errors at the same time

Week 3: Lecture Notes

Lecture 1: Kahoot Quiz: • Kerchoffs? • Kasiski method: trick find key length • Bits of work Finish last week’s homework: • Human Weakness: self-interest & abuse of power • Blog 10 times a week (at least one analysis post done) • Find unique T1/T11 error situation done • Tweet something significant • Solve ciphers done TOPIC: RISK - “is ought” problem David Humes (1711-76) - What is can confuse us & blind us - Puzzle: Eastern Suburb Line & train breaks down in tunnel what do you do? o Find out where the (emergency) exits are (extra exit is on the back) o Emergency latch o Move to another carriage - Access precluded: is/ought: o Laptop repair: future decisions based on intuition. High probability but low impact, if event is low probability and low impact then you might let it slip but if its high impact then you start questioning it. People underestimate low probability events. - Risk is INVISIBLE: o Only get angry if the risk goes wrong o Only focus on risk that goes wrong (in media) o Example: SONY had bad security (?) o Just as dangerous every time you do the risk not just time the accident occurs e.g. driving without seat belt is wrong all the time, but you only think its bad when an accident happens, and you weren’t wearing a seat belt o Risk that is bad, and the chance of you letting it happen is bad and you only see the shadow (accident) rarely o You only see the outcome of risk which is credited to luck and other factors - Humans “bad at assessing” risk (really hard): o Don’t look at your intuition o People either obsess over a thing or completely don’t care about it (i.e. hygiene) - Terrorism: o <200 people died in terrorism in Australia which is approx. the death toll on long weekend in the country o Example of low probability event that is prescribed as high impact - Risk Matrix - Risk Registers - NASA Richard Fireman (?) - Self-interest: don’t have people in your own company to something, get a third party to do it o Critically think of it o Update it often o Have the higher authorities - Compliance: people can demonstrate that they have done something o E.g car check, checklist o Sets the minimum level - Risks to look out for: (train) level crossings, eruption, earthquake, dog attack, tsunami, school shooting, plane crash, major building failure, pandemic, … [low probability, high impact, chances of these happening to a person are low but they do happen] - Self-interest: don’t have people in your own company to something, get a third party to do it o Critically think of it o Update it often o Have the higher authorities - Sundance Resources Limited – Republic of Congo June 2010 o Whole board of directors in plane crash o Since whole board was on - 4 basic approaches to risk: o 1. o 2. Limit o 3. Passing a risk to a 3rd party (i.e. insurance) o 4. Wear (take the risk) Type 1 and Type 2 Errors: - Remainder (Stalin?) - Find T1 & T2 error & issues in the news & reflect on them in your blog & post good ones to security everywhere Bits of information: - Question: Mars men & Venus women always tell the truth & Mars women & Venus man always lie. What is a yes/no to ask if they are a Martian? “Are you a man?” - To figure out if they are a man? “Are you from Mars?” - To figure out both? There is none 4 options & only 2 outcomes (i.e. yes or no)

- Yes or no questions gives you one bit of information  

- 3 cuts divide cut in 8 pieces

TOPIC 2: CYBER LITERACY Protocol – Telegraph Bits of Security & Brute Force: Minimum symmetric key-size n bts for various attackers

Lecture 2: • Human Weakness - corruptible ○ Last week - self interest and abuse of power - examples? • Make a Bold Prediction • Make a data breach prediction • https://kahoot.it Quiz (pin = 612090) • Reversing tragedy ○ Woman who reversed a car without looking. She didn't hit anything ○ Bad thing - is the risk not the outcome. The outcome is down to luck ○ You can usually cut corners and get away with it. There's a crime in everything ○ If you do something risky in real life, you can get away with it • Centralisation ○ Google, Cloud, One player ○ Single point of failure ○ It increases impact but decreases likelihood • Card puzzle ○ Exploiting space/time trade-off can roughly have the effective number of bits ○ Estimate of how many bits of security to get a few months of security from different types of hackers • Homework required: separation of power leaders and terms? ○ Eg house of reps and senate - power is split. Government makes laws but police enforce them. Power is separated. ○ Most countries have the rule where person can't be prime minister for more than certain period. ○ Look for examples of government trying to control media or judiciary, take control of police etc. Leaders trying to undo separation of power • Homework required: how did the Romans and Greeks do separation of powers/avoid absolute power? ○ Trying to remove single point of failure - they will eventually fail. The chance of one person being corrupt is more likely than a group of many people being corrupt • Weakness - corruptible ○ A friend that turns into an attacker - someone from the inside ○ Insiders - the biggest problem in terms of catastrophic failure - but often overlooked ○ We've got someone policing the system but who's policing them? They've got power. "Who will watch the watchers?" ○ Examples § Kim Philby 34-63 and the Cambridge Five § Gordievsky □ The third lock - every contact leaves a trace § Michael Bettany M15 1984 - contacts Russian embassy saying he wants to turn and offer secrets. § Aldrich Ames § Robert Hanssen FBI 79-2001 - revealed a multimillion dollar eavesdropping tunnel built by the FBI under the Soviet Embassy in Washington • The Key Problem ○ Public Key cryptography - instead of using the same key to encode and decode it how about we have 2 keys - one to encode and one to decode - keep the decode key hidden. The key distribution problem becomes easier ○ Ralph Merkle - Secure Communications over Insecure Channels ○ RSA - encryption method § You want the code to be hard for the bad guy but easy for the good guy § 3^4 then ^7 is the same as 3^7 then ^4 § Step 1 raises to a power then mods it. § The power is the encryption key, modding it gives you the code. The other guy raises it to another power which is the decryption key. Encryption and decryption key are separate