CSE 477: Introduction to

Computer Security
Lecture – 1

Course Teacher: Dr. Md Sadek Ferdous

Assistant Professor, CSE, SUST
E-mail: [email protected]
Outline
• Motivations
• Course Information
• Basic concepts
Outline
• Motivations
• Course Information
• Basic concepts
• Security properties
• Security attacks
• Security failure & secure solutions
Motivations
• Currently around 4.77 billions of mobiles and increasing
• Around 4 billions of Internet users
• Around 320 millions of domain names
• Around $2300 billions of retail e-commerce sales and growing
• Almost all spheres of our lives are somehow dependent on the
Internet and different web services
• Mostly in developed countries, developing nations are catching up
• This trend will continue to grow
Motivations
Motivations
Motivations
Motivations
 Motivations
Mirai Botnet

https://www.corero.com/img/Diagrams/mirai-botnet-ddos-attack.jpg https://www.incapsula.com/blog/wp-content/uploads/2016/10/mirai-botnet-map.png
Motivations

Source:
Source: https://i1.wp.com/securityaffairs.co/wordpress/wp-
https://storify.com/services/proxy/2/WJZ_9tf1AVAiKovh3
content/uploads/2014/04/heartbleed-SSL-scan-results.jpg
3lUA/http/pbs.twimg.com/media/Bk7vrLqIgAArRrS.jpg
 Motivations

Source: http://www.asuamaytinh.com/wp-content/uploads/2017/05/virus-
wanna-cry-la-gi-cach-phong-chong-ra-sao-1888-660x330.jpg
 Historical timeline - 1
Security timeline, part 1 Security timeline, part 2
Security attacks begin in 1950s and security 1975 Unix-Unix copy protocol (UUCP) and mail
mechanisms were designed for operating systems since trapdoors
the beginning. Early attackers were near the machines. 1976 Public-key cryptography and digital signatures
Now the Internet allows millions of anonymous 1978 RSA public-key cryptosystem.
attackers to target any connected system. “White-hats” 1978 First vulnerability study of passwords
and “black-hats” are in an arms race... (intelligent search).
1960 Memory protection hardware: partitioning, 1978 E-cash protocols invented by David Chaum.
virtual memory. 1983 Distributed domain naming system (DNS),
1962 File access controls in multiple-access systems. vulnerable to spoofing.
1967 One-way functions to protect passwords. 1984 Viruses receive attention of researchers.
1968 Multics security kernel (BLP model) 1985 Advanced password schemes.
1969–89 ARPANET † Internet; TCP/IP in 1977. 1986 Wily hacker attack (Clifford Stoll’s “Stalking...”)
Infamously, ARPANET was built to withstand nuclear 1988 Internet Worm: 6,000 computers (10% of
attack but was nearly crippled in 1988 by the Morris Internet).
Internet Worm. ARPANET assumed centralised 1988 Distributed authentication realised in Kerberos.
administration which no longer applies in the Internet: 1989 Pretty Good Privacy (PGP) and Privacy
a dramatic example of a change in environment Enhanced Mail (PEM).
invalidating security.

Source: http://www.inf.ed.ac.uk/teaching/courses/cs/0910/lecs/intro.pdf
 Security timeline, part 3
Historical timeline - 2
1990 Anonymous remailers (protocols prevent
tracing).
1993 Packet spoofing; firewalls; network sniffing.
1994 Netscape designs SSL v1.0 (revised 1995).
1996 SYN flooding. Java exploits. Web-site hacking.
1997 DNSSec security extension for DNS proposed.
1998 Script kiddies’ scanner tools. IPSec proposals.
1999 First DDoS attacks. DVD encryption broken
2000 VBscript worm ILOVEYOU (0.5 – 8 million
infections). Cult of the Dead Cow’s Back Orifice
2000 Trojan.
Source: http://www.inf.ed.ac.uk/teaching/courses/cs/0910/lecs/intro.pdf
Historical timeline
Security - 34
timeline, part
2001 Code Red, Nimbda worm infects Microsoft IIS.
2002 Palladium; chipped XBox blocked from online
play.
2003 W32/Blaster worm. Debian and FSF are cracked.
2004 First mobile phone virus Cabir
2005 Flaws in SHA-1. Sony’s “rootkit” with broken
DRM.
2006 RFID cracks.
Microsoft Vista released; vulnerabilities
discovered.
2007 Data breaches: TJX Inc (94m), UK HMRC (24m).
iPhone released & cracked.
2008 Kaminsky discovers major DNS flaws. CIA
reports power utility cyber-extortion. Oyster
Cards cloned and UK e-passports faked.

Source: http://www.inf.ed.ac.uk/teaching/courses/cs/0910/lecs/intro.pdf
HistoricalSecurity
timeline - 4part 5
timeline,

2009 Conficker virus

iPhone worm
DoS attacks on social networks (Twitter,
Facebook)
Numerous data breaches
Hacktivism
TJX Hacker indicted
BT & Phorm
“Privacy” at Facebook, Google, . . .
Cloud computing
...

Source: http://www.inf.ed.ac.uk/teaching/courses/cs/0910/lecs/intro.pdf
Outline
• Motivations
• Course Information
• Basic concepts
• Security properties
• Security attacks
• Security failure & secure solutions
What is computer security?
• Computer security is the protection of computer systems
• operating in adversarial environments
• with possible adversaries
• Protection aims to:
• allow intended use
• prevent unintended use
 What is computer security?
The security problem
The security problem
• Confidentiality
• Integrity
|tries to break |in
• Availability
|= having
|= security properties
• Authenticity
• Anonymity
• Personal motivation • ….
I - security policy I - security policy
(Ex e.g.
spouse/employee)
confidentiality, integrity, availability, authenticity,
e.g. confidentiality, anonymity,
integrity, availability, ...
authenticity, anonymity, . . .

• Financial
I
motivation
I system
- computer - computer system
• Political motivation
I I
- attacker model - attacker model
e.g personal motivation
e.g(spouse or motivation
personal boss), financial motivation
(spouse or boss), financial motivation

• In this course
(pharmaceutical, credit(pharmaceutical,
activists), . . .
card theft), political
activists), . . .
credit card theft),(governments,
motivation political motivation (governments,

• why systems are insecure?

9 / 19 9 / 19

• how to make them secure?

 Course Information
Security

Physical Device
Information Web Network
Security Security

Source: https://d2gg9evh47fn9z.cloudfront.net/800px_COLOURBOX18770823.jpg
Source: http://itak.iaitam.org/wp-content/uploads/sites/2/2015/06/Can-Mega-Data-Breaches-
be-Prevented-%E2%80%93-What-ITAM-Can-Learn-from-Target-and-Home-Depot.jpg
Course Information
• Brief introduction to Computer Security
• Physical Security
• Operating System Security
• Basic crypto & Security Protocols
• Internet and network security
• Web and email security
• Malware
• Bitcoin (if time permits)
• Will not cover
• Deep mathematical study of modern cryptography
• However, basic cryptography will be covered
Assessment (tentative)
• Class Attendance: 10%
• Homework + Assignment: 5%
• Term Test: 15%
• Final exam: 70%
Resources
• Textbook
• Introduction to Computer Security - Michael Goodrich & Roberto Tamassia,
First Edition
• Additional Resources:
• Introduction to Computer Security – Matt Bishop
• Handbook of Applied Cryptography - Alfred J. Menezes, Paul C. van Oorschot
and Scott A. Vanstone. http://cacr.uwaterloo.ca/hac/
• Additional research papers will be supplied throughout the course
Advisory: Ethical code of conduct
• With great power comes great responsibility!
• Course materials and knowledge gained in this course should not be considered
as an incitement to crack!
• Breaking into system to demonstrate security problems might cause irreversible
damages to many innocent users and might lead to prosecution!
• If you spot a security hole in a running system, don’t exploit it, instead consider
contacting the relevant administrators confidentially
• Sysadmins might not act quickly as it is difficult to keep up with latest security
patches
• Especially true in the university setting:
• traditional approach: open access above security,
• resources for sysadmin are very tight
Advisory: Ethical code of conduct
• If you want to experiment with security holes, play with your own machine,
in your own private network of machines.
• e.g. using a form of virtualisation: e.g., VMWare, Virtual Box, etc.
• If you discover a new security hole in a standard and popular application,
or operating system
• consider contacting the vendor of the software/OS in the first case
• consider suggesting a fix, if you can
• You might also raise the issue in a security forum for discussion
• without providing complete details of the hole
• The software vendor or other security experts will be able to confirm or
deny, and work can begin on fixing the problem
Google classroom code