COMP6441

Security Engineering

Importance of analysis/observation

Finding what is most important

People

Attacker Mindset vs Defender Mindset

Security Eyes: find the weak points

Physical Secuity: Comes first

Attackers only need one attack vector

Defenders need to defend all attack vectors

Recon: the second step

Why do things fail?

Murphies law

We introduce more complexity

Humans

Measuring

Information

Extremely difficult to separate DATA and CONTROL

Bits of Security

Measured on a log_2 scale

Should have a high number of bits for defence

Gullibility

People can be tricked by confidence

People follow the decisions of others

You can get people in the habit of saying yes

Greed

Errors

Type 1: False positive

Type 2: False Negative

Always trying to minimise both, but have to decide which is worse

Secrets

The best number of people for a secret is 0.

CIA

Confidentiality

Integrity

Authentication

Asymetry

Can separate good guys from bad guys

Good guys have the secret

Bad guys don't

Military ciphers

  1. System must be practically indecipherable
  1. The process is not secret
  1. Key must be communicable and retainable
  1. Must be applicable to telegraphic correspondance
  1. Must be portable
  1. Must be easy to use

Security through obscurity

Where you keep the process itself secret.

Not good security

When people find out the principle you are fucked.

Brute force attacks

On average, will guess correctly halfway through the total space of possibilities

Passwords

Often simple to guess

Often repeated

Often relates to the person

Key-Space

Set of all permutations for a key

Side Channels

Ways for data to get out that are unexpected

Every contact leaves a trace

Hard to rule out all side channels

Bits of Information

How many alternatives can be chosen

Alternative means choice in question, not per letter

Run on toilet paper

Insider Threats

People who are trusted within the defence

Motivations

Self interest

Morals: Whistleblowers

Trust

People have a tendency to trust, and will overlook logic for trust

Defence in Depth: need for multiple components to fail. Essentially redundancy.

When there is a conflict of interests

Hard to defend against, cultural issue.

Always get hunted after whistleblowing

Ciphers/Encryption

Symmetric

Asymmetric

Polybius Cipher

Substitution

Encode letters into 2 numbers by 5x5 grid

Replace letters with another letter

Transposition

Coincidence index: frequency distribution analysis

Permutate the order, can be via a keyword

One Time Pad

Shifts letter by a random number

Use once, or else the pattern can be determined

Block vs Stream

Block: encrypts an entire block of text.

Stream: encrypts one character at a time

DES

American standard of encryption

Confusion

Each bit at the end of the encryption depends of several parts of the key.

Diffusion

A small change should change half the bits.

Risk

Humans judge risk off past frequency. We are bad at assessing low probability situations. However, inevitably things will occur.

We have cognitive biases that changes how we see things.
Confirmation Bias: favour information that confirms previous beliefs.

Security is about defending high impact, low probability situations.

Correlations

Risk are correlated if they are tied together.

Best to have uncorrelated risks.

Authentication

Unsolvable

Incredibly important

Computer has very limited senses, so much harder to authenticate.

Generally need to compare a shared secret, like a password.

Man in the middle attacks use this, passing on the shared secret.

Factors

What you know

What you have

What you are

End-to-end security: from real world to computer to real world.

Hashing

Like encryption, but different sized output.

Uses

Fingerprint for ID

Ensuring no change for integrity

Can have collisions

Cryptographic hash: cant go backwards

Length extension attack: adding bits at the end can obtain the secret at the start

Command and Control

Who is in charge

Options

One person at the top in charge, operating on a chain of command.

Everyone equal, promoting more creativity but lower power for each.

Should have a mix of both

Dual Control: Two elements must be in sync, for both redundancy and to see if a situation is wrong.

Protects against individuals or single attacks

Assets

How to identify

Survey people

Develop a plan

Continuously reassess. Always changes

Tangible assets: physical assets

Intangible assets: intellectual and moral assets.

How to value assets:

  1. Survey as many people as you can. The group always had a better idea.

1st Preimage Resistance: finding the secret.

2nd Preimage resistance: finding a collision.
Done via a birthday attack (square root rule, takes the square root of the number of bits).

Privacy

Information

More valuable the more there is

Data wants to be free, because of the increase in value

Privacy Forward Property: once data is released it can't be retracted. Should think about future use of the data when you release it.

Deidentifying: data can be 'deidenitfied' by removing some aspects of the information. But this can be compared against other data, reidentifying it.
Impossible goal

Open Government: lets the data be entirely free. But it removes the power of the government.

Forward Security: is the data thats secure now going to remain secure?

Privacy Laws

Companies are now required to report data breaches. Previously they were kept hidden.

Australian Backdoor Law

Public and Private keys

RSA encryption is a good form of this

Communication

Goal: to bring about change. Steps:

  1. Know what change you want to make
  1. Know the person you aim to change.

Tips

Remain open minded

Get the trust of the person by being authentic.

Hypnotising Chickens

Boring information makes people stop paying attention.

Use boring information to hide the important stuff.

Attention is a scarce resource, assume you only have it briefly.

Tell a story

Make it easier for them to say yes.

No acronyms, makes people feel left out when they don't know them.

OpSec

Need to know your enemy and who/what you are defending.

Done through thread modelling.

How to remain anonymous

VPNs: disguises yourself but also reveals more nefarious intentions, and people do nefarious things through a VPN. People can watch the VPN and track you that way.

Tor: routing traffic through many countries so its difficult to track.

Good OpSec

Is Idiotproof

Fails closes: fails into a defended, safe state, not vulnerable.

Layers

  1. We don't know anything is happening.
  1. We know something happened, but not who.
  1. We know someone by the name 'bartman' did it.
  1. We actually know their identity.

Zero Knowledge Protocol

A process of proving something to someone without revealing any information.

Often probability based, proving beyond doubt. Proving that they couldn't randomly guess it.

Strongest Level

Caught whilst bragging.

Caught via honeypots, or not bouncing around enough.

Persona management is important, don't link your persona to your identity.

Booby traps are an admission of guilt.

Distinguishable by grammar, punctuation.

You can be famous or a hacker, but not both.

This is about conviction

Mitnick's Attack

DOS one server so it can't acknowledge the messages.

Send messages to another server impersonating the DOSed server. The ACKs go to the DOSed server.

Adds his own computer to the permission list, installing a backdoor for himself.

Cleanup by sending a reset

TOCTOU

Time of check to time of use

Going through the maccas drive through and picking up the next persons food.

Blockchain

Proof by work. It takes up to 10min to produce a new block onto the blockchain. That workpower, once more blocks have been created, forms a permanent record.

51% Attack: able to rewrite the blockchain because preference is the longest blockchain.

Certificates/Public Key Infrastructure

Use a private key to encrypt something, and a public key to decrypt. This forms the 'certificate' authorising that user.

Centralised: a central authority that encrypts with the private key. We have to trust these people to authorise correctly.
The current system that is being used.

Decentralised: using the blockchain or some other peer to peer system.

These 'trusted' people are built into our browsers.

Sovereignty

Should you own and produce everything yourself, or should you outsource.

A question of trust.

Should only trust someone as far as your ideals align with theirs.

On the other hand, you shouldn't roll your own.

Incident Response

About considering high impact, low probability events.

Human response is often irrational. Need to challenge that to instead thing responsibly.

2 questions

  1. What should you do?
  1. When should you do it?

Requires preplanning

Safety vs Security

Safety is similar to engineering, as they are trying to prevent incidents as well.

Encoding bias: we don't accept some information if it doesn't fit our mental model. We filter it out

Hindsight Bias: events that happened before an event are understood as the cause, even if they are unrelated

The difference is that security is about an adversary, safety is about random chance.

Tight coupling leads to catastrophies

A good solution to safety, to avoid human error, is to have a culture of safety. Don't punish those who get it wrong.

Cyber Crime

WannaCry: A cryptoworm, ransomware

Petrya: ransomware

NotPetya: pretended to be ransomware, just destroyed the data. Used a wateringhole attack (hit a common service that people visit regularly).

Cyber War

The future of cyber crime

Countries fighting against one another. Considered to be the 5th domain. Huge amount of resources can be pooled for this

Electronic code book: break up into blocks, encrypt each block individually.

Cipher Block Chaining: XORs previous encrypted block with new unencrypted block, then encrypts. If first block, takes in initialisation vector.