You are on page 1of 38

CSCI 262

Computer Security

Fall Session 2013


University of Wollongong in Dubai
General Information
Lecturer Dr. Halim M. Khelalfa, Room 108 KV 5
Email: HalimKhelalfa@uowdubai.ac.ae

Credit Points: 6 credit points

Contact hours: 3 hrs lecture, 2 hr lab per week

Lecture Time Sundays 12:30p.m.– 14:30 pm KV 14 202


and location Wednesdays 08:30am-09:30am KV 14 302

Consultation Mondays 12:30pm-14:30pm,


Days and Wednesdays 10:30 am-13:30pm, and 15:30pm-16:30pm
Times :

Labs Sundays 15:30pm-17:30pm KV5 103


Tutorials
Course content
 The subject covers fundamental computer security technologies in
the following aspects:
a) Operating system security such as physical security, file
protections, system abuses, attacks and protections;
b) Database security including data integrity, data recover, data
encryption/ decryption, access control, and authentication;
c) Mobile code security including malicious logic, host and mobile
code protection, mobile agents' security.
d) Intrusion detection;
e) Security policies;
f) Security management and risk analysis.
Learning outcomes

If you complete successfully this course you should be able to:


a) Analyse risks and threats to computer systems.
b) Evaluate and manage the security in computer systems.
c) Apply models of security in Operating Systems and select
methods for providing protection.
d) Apply security mechanisms in database management
systems.
e) Manage security for mobile code systems.
Textbooks/Readings

• Required Textbooks:
1. William Stallings, Lawrie Brown, 2nd
edition, 2011, Computer Security:
Principles and Practice, Prentice Hall
Reference Textbooks
• Carlos Solari, 2009, Security in Web 2.0 + World: a
standards based approach, John Wiley and Sons
• Charles Pfleeger, 4th edition, 2007, Security in
Computing, Prentice Hall
• Cole, Krutz, Conley, Reisman, Ruebush, Gollmann,
Reese, 2008,Wiley Pathways Network Security
Fundamentals, John Wiley and Sons
• Davi Ottenheimer, 2012, Securing the virtual
environment: how to defend against attack.
• Dieter, Gollmann, 3rd Edition , 2011, Computer
Security, John Wiley and Sons
Reference Textbooks
• Dwayne Williams, Principles of Computer Security:
Security+ and Beyond, Mc Graw Hill
• Gary M. Jackson, 2012, Predicting Malicious
Behavior: Tools and Techniques for Ensuring Global
Security, John Wiley and Sons
• M Whitman and H. Mattord, 2003, Guide to Network
Defense and Countermeasures, Course Technology
• M Whitman and H. Mattord, 2006, Database Security
and Auditing, Course Technology
• M Whitman and H. Mattord,2nd edition, 2008,
Management of Information Security, Course
Technology
Reference Textbooks
• M Whitman and H. Mattord,3rd edition, 2006, Reading
and Cases in the Management of Information
Security , Course Technology
• M Whitman and H. Mattord,3rd edition, 2010,
Principles of Information Security, Course
Technology
• Matt Bishop, 2003, Computer Security: Art and
Science, Addison-Wesley
• Michael Goodrich,2011, Introduction to Computer
Security, Pearson Education
• Niel Ferguson, Bruce Schneier, 2003, Practical
Cryptography, John Wiley and Sons
• Raymond Pranko, 2004, Corporate Computer and
Network Security, Prentice Hall
Reference Textbooks
• Wenbo Mao, 2004, Modern Cryptography, Prentice
Hall
• Will Allsopp, 2009, Unauthorized access: physical
penetration testing for IT security teams, John Wiley
and Sons
• William Stallings, 2007, 3rd Edition, Network Security
Essentials : Applications and Standards, , Pearson
Education
• William Stallings, 2006, 4th Edition, Cryptography and
Network Security : Principles and Practices, Pearson
EducationCharles Pfleeger, 4th edition, 2007, Security in
Computing, Prentice Hall
Reference Textbooks
• Cole, Krutz, Conley, Reisman, Ruebush, Gollmann,
Reese, 2008,Wiley Pathways Network Security
Fundamentals, John Wiley and Sons
• Dieter, Gollmann, 3rd Edition , 2011, Computer
Security, John Wiley and Sons
• Dwayne Williams, Principles of Computer Security:
Security+ and Beyond, Mc Graw Hill
• M Whitman and H. Mattord, 2003, Guide to Network
Defense and Countermeasures, Course Technology
wee
Lecture Topic(s) Chapter(s)
k starts ends
Introduction, Foundation of security, security
1,2
1 15-Sep 19-Sep policy
2 22-Sep 26-Sep Authentication, Access control. 3,4
Trusted computing and multilevel security, security
13
3 29-Sep 3-Oct models, common criteria
4 5-Oct Database system security. 5
5 6-Oct 10-Oct Intrusion detection systems, firewalls. 8
13-Oct 17-Oct Break
6 20-Oct 24-Oct Malware, Reverse engineering & obfuscation. 6
7 27-Oct 31-Oct Denial of service attacks, protection methods. 7
8 3-Nov 7-Nov Buffer overflows, secure code, cross-site scripting. 10
9 10-Nov 14-Nov Other software security issues, revision. 11
10 17-Nov 21-Nov Phishing, auditing. 18
11 24-Nov 28-Nov Linux security / Windows security 12
12 1-Dec 5-Dec Security of Mobile code Notes
13 8-Dec 12-Dec IT security mgt, risks, controls 14

11/25/2018 CSCI 262 Computer Security


Week starts ends Tutorial/Computer Lab Activities Lab Assignments

1 15-Sep 19-Sep

2 22-Sep 26-Sep Tutorial and practical lab exercises

3 29-Sep 3-Oct Tutorial and practical lab exercises First assignment

4 5-Oct Tutorial and practical lab exercises

5 6-Oct 10-Oct Tutorial and practical lab exercises

13-Oct 17-Oct Break

6 20-Oct 24-Oct Tutorial and practical lab exercises Second assignment

7 27-Oct 31-Oct Tutorial and practical lab exercises

8 3-Nov 7-Nov Tutorial and practical lab exercises

9 10-Nov 14-Nov Tutorial and practical lab exercises Third assignment

10 17-Nov 21-Nov Tutorial and practical lab exercises

11 24-Nov 28-Nov Tutorial and practical lab exercises

12 1-Dec 5-Dec Tutorial and practical lab exercises Fourth Assignment

13 8-Dec 12-Dec Tutorial and practical lab exercises


11/25/2018
Assessments

• All assessment items are compulsory and must be


completed in order to pass the subject
• Seminar reports are to be submitted and returned
during lecture. Penalties will apply to all late work,
except in the case of protracted (and certified) illness.
10% of the total marks available will be deducted for each
day it is overdue.
• The seminar presentation assessment item will be an
oral presentation.
• No assessments work will be accepted in electronic
form.
• All assignments must be submitted with a school cover page
at the front desk.
Assessment Weight Individual/ Date
tasks Group
Lab 20% Week 2-13
assignments Individual
Tutorial and
Practical
exercises
Programming 40% Individual Week 3, 6,
assignments 9,12
Final Exam 40% Individual

11/25/2018 ECTE 282 Fall 2009 UoWD


Learning Outcome Measures (Elements of
Assessment)
(a)Analyse risks and threats to Tutorials and practical
computer systems. exercises, final exam
(b)Evaluate and manage the Lab assignments, Tutorials
security in computer systems. and practical exercises, final
exam
(c) Apply models of security in Tutorials and practical
Operating Systems and select exercises, final exam
methods for providing
protection.
(d) Apply security mechanisms Tutorials and practical
in database management exercises, final exam
systems.
(e) Manage security for mobile Lab assignments, Tutorials
code systems. and practical exercises, final
exam
11/25/2018 ECTE 282 Fall 2009 UoWD
Assessment Task: Programming assignments

Type: Individual
Description: Programming assignment
Learning Outcome (a), (b),
Measured:
Total Marks: 100
Weighting: 40%
Due Date: Week 3, 6, 9, 12
Word Length (if applicable):

Power point presentation


Hand in to: Lab tutor
TurnItIn submission
required by:

11/25/2018 ECTE 282 Fall 2009 UoWD


Outline and requirements/ marking criteria
• There are four Programming assignments.
• Each assignment must be completed within
the deadline mentioned in the handout.
• The lab paper must be handed out to the lab
assistant. If you do not complete your lab
assignment within the time allocated, a 10%
penalty will be applied for every additional
working day
• The marking criteria will be specified in the
handout.

11/25/2018 CSCI 262 Computer Security


LAB –tutorial assignment
Assessment Task: Tutorial Assignments
Type: Individual
Learning Outcome Measured: (a), (b), (c), (d) , (e), (f)
Total Marks: 100
Weighting: 20%

1. You must complete and submit the assignments as


stated by the handouts that the lecturer will provide
you with.
2. You should attempt all the tutorial questions during
the tutorial session. The lecturer will pick on random
weeks tutorial assignments for marking.
3. If you do not complete your tutorial assignment
during the lab session, a 10% penalty will be applied
11/25/2018 for every additional working day
Tutorials – marking criteria
• The tutorial and exercises will count for 20% of the subject mark.
• Marking will be based on correctness and clarity of answers, as well as
you contribution to the tutorials.
• Your contribution to the tutorials is based on:
– how well you solve the problems,
– how you participate in the questions/answers with the lab assistant, as
well as how you perform at the whiteboard.
– Expect to be called on to solve questions and explain your solution at
the white board several times during the session.
• Your tutorial mark is calculated as follows:
• 60% the mark you obtained in marked tutorials
• 40% the mark you obtained in your active participation in the tutorials
(including how you solve the problems, and how well you perform at the
whiteboard).
• Every time you solve a question or problem on the whiteboard I will mark
you.

11/25/2018
Some security exploits
Security exploits: phishing

• On the weekend of January 3, 2009, several users on the


social network Web site, Twitter, became victims of a
phishing attack.
• The users were deceived into giving away their passwords
when they received an e-mail similar to one that they would
receive from Twitter with a link that read, “hey, check out
this funny blog about you…”.
• The link redirects to a site masquerading as the real Twitter
site.
• Any personal information entered by the user on the fake
site is then captured by the attacker.
• Twitter responded by reporting the offending domain, and
changing the affected users’ passwords.
Security exploits
• Password
• On Sunday, January 4th, 2009, a hacker known only as
GMZ, used a tool he developed to launch a dictionary
attack against the account of a Twitter user named
Crystal.
• The program ran for several hours overnight
automatically trying different English words.
• When “he checked the results Monday morning at
around 11:00 a.m. E.T., he found he was in Crystal’s
account.”
• GMZ soon realized that Crystal was actually a Twitter
staffer with administrative privileges.
• He was able to compromise several high-profile
accounts by resetting their passwords and making
them available to fellow hackers.
• Some of these included the accounts of President
Elect Barack Obama, Britney Spears, CBS News and
Fox News.
Cryptography
http://www.nytimes.com/2009/08/18/technology/18card.html?_r=2&ref=business

August, 17, 2009


The computers of Hannaford Brothers (San
Francisco), a supermarket chain, were infiltrated.
3 Indicted in Theft of 130 Million Card Numbers
Security exploits: cryptography
• The man who prosecutors said had masterminded
some of the most brazen thefts of credit and debit card
numbers in history was charged on Monday with an
even larger set of digital break-ins.
• In an indictment, the Justice Department said that
Albert Gonzalez, 28, of Miami and two unnamed
Russian conspirators made off with more than 130
million credit and debit card numbers from late 2006 to
early 2008.
• Prosecutors called it the largest case of computer
crime and identity theft ever prosecuted.
• The culprits infiltrated the computer networks of
Heartland Payment Systems, a payment processor in
Princeton, N.J.; 7-Eleven Inc.; Hannaford Brothers, a
regional supermarket chain; and two unnamed
national retailers.
Security exploits: cryptography
• An unspecified portion of the stolen credit
and debit card numbers were then sold
online,
• and some were used to make unauthorized
purchases and withdrawals from banks,
according to the indictment, which was
filed in United States District Court in
Newark…
• Richard Wang, manager of SophosLabs, a
security company, said the case provided
more evidence that retailers and banks
needed to strengthen industry standards
and encrypt credit card numbers when
they are transmitted between computers.
• Currently, major banks agree to encrypt
such data only when it is stored.
Security exploits: cryptography
• According to the new indictment, Mr.
Gonzalez and his conspirators reviewed
lists of Fortune 500 companies to decide
which corporations to take aim at and
visited their stores to monitor which
payment systems they used.
• The online attacks took advantage of
flaws in the SQL programming language,
which is commonly used for databases
Security exploits: integer errors
• There is a Facebook group called “If this
group reaches 4,294,967,296 it might cause
an integer overflow. “
• This value is the largest number that can fit
in a 32 bit unsigned integer.
• If the number of members of the group
exceeded this number, it might cause an
overflow.
• Whether it will cause an overflow or not
depends upon how Facebook is
implemented and which language is used –
they might use data types that can hold
larger numbers.
Security exploits: integer errors
• On December 25, 2004, Comair airlines
was forced to ground 1,100 flights after its
flight crew scheduling software crashed.
• The software used a 16-bit integer (max
32,768) to store the number of crew
changes.
• That number was exceeded due to bad
weather that month which led to
numerous crew reassignments.
Security exploits: integer errors
• Many Unix operating systems store time
values in 32-bit signed (positive or
negative) integers,
• Counting the number of seconds since
midnight on January 1, 1970.
• On Tuesday, January 19, 2038, this value
will overflow, becoming a negative number.
• Although the impact of this problem in 2038
is not yet known, there are concerns that
software that projects out to future dates –
including tools for mortgage payment and
retirement fund distribution – might face
problems long before then.
Security exploits: input validation
• In December 2005,
• A Japanese securities trader made a $1
billion typing error, when he mistakenly
sold 600,000 shares of stock at 1 yen
each instead of selling one share for
600,000 yen.
• A few lines of code may have averted
this error.
• Fat fingered typing costs a trader’s
bosses £128 millions or $203.3 millions
• The Times Online, December 09, 2005
Security exploits: input validation
• Web applications are highly vulnerable to
input validation errors.
• Inputting the invalid entry “!@#$%^&*()”
on a vulnerable e-commerce site may
cause performance issues or denial of
service on a vulnerable system or invalid
passwords such as “pwd’” or “1=1— ”
may result in unauthorized access.
http://www.processor.com/editorial/article
.asp?article=articles%2Fp3112%2F32p12
%2F32p12%2F32p12.asp&guid=&searchty
pe=&WordList=&bJumpTo=True
Security exploits: input validation
• A Norwegian woman mistyped her account
number on an internet banking system.
• Instead of typing her 11-digit account number,
she accidentally typed an extra digit, for a total
of 12 numbers.
• The system discarded the extra digit, and
transferred $100,000 to the (incorrect) account.
• A simple dialog box informing her that she had
typed too many digits would have helped avoid
this expensive error.
• Olsen, Kai. “The $100,000 Keying error” IEEE Computer, August 2008
Security exploits: input validation
• The site xssed.com lists nearly
13,000 vulnerable Web pages,
including sites such as yahoo.com,
google.com, msn.com,
facebook.com, craigslist.com and
cnn.com
Security exploits: input validation
• The Risks digest (http://catless.ncl.ac.uk/Risks )
– an invaluable resource on computing systems
gone wrong – carried a report of an electronic
commerce web site that failed to verify the
quantity of items ordered.
• After accidentally typing “1.1” for the desired
quantity of an item (instead of one), an amused
customer found that the system would let him
order 1.1 cocktail shakers at $9.99 each, for a
total of $10.99.
• A simple check to verify that the quantity was
an integer value would have eliminated the
absurd possibility of ordering one-tenth of a
cocktail shaker.
• Source: Richard Kaszeta, “Lack of sanity
checking in Web shopping cart software “ Risks
Digest, 23(51)
http://catless.ncl.ac.uk/Risks/23.51.html#subj11
Security exploits: buffer overflows
• Buffer overflow vulnerabilities were
exploited by the first major attack on
the Internet.
• Known as the Morris worm, this
attack infected more than 60,000
machines and shut down much of the
Internet for several days in 1988.
• Source: Carolyn Duffy Marsan, Morris
Worm Turns 20: Look what it’s Done,
Network World, October 30, 2008
http://www.techworld.com.au/article/2
65692/morris_worm_turns_20_look_
what_it_done/
Security exploits: buffer overflows
• A buffer overflow in a 2004 version of AOL’s AIM
instant-messaging software exposed users to
buffer overflow vulnerabilities.
• If a user posted a URL in their “I’m away”
message, any of his or her friends who clicked
on that link might be vulnerable to attack.
• AOL’s response was to suggest that users
update to a new version that would fix the bug.
• Source: Paul Roberts “AOL IM ‘Away’ message
flaw deemed critical”, Infoworld, August 9, 2004
http://www.infoworld.com/article/04/08/09/HNaoli
mflaw_1.html
Security exploits: buffer overflows
• The Blaster worm that attacked Microsoft
Windows Systems in August 2003 relied
upon a known buffer overflow in remote
procedure call facilities.
• Once it was installed on a given computer,
Blaster would attempt to find other
vulnerable computers.
• Upon finding a vulnerable computer,
Blaster would issue instructions that
would create a process on the target and
cause the worm to be downloaded to it.
• CERT® Advisory CA-2003-20 W32/Blaster
worm http://www.cert.org/advisories/CA-
2003-20.html
Some tools
• http://splint.org/samples/
• http://frama-c.com/
• http://cis1.towson.edu/~cssecinj/links
-resources/tools-for-secure-coding/