CSE 825: Computer and Network Security

1
CSE 825 Computer and Network Security
Alex X. Liualexliu_at_cse.msu.eduhttp//www.cse.ms
u.edu/alexliu2132 Engineering
BuildingDepartment of Computer Science and
EngineeringMichigan State University
2
General Course Infomation

• Instructor Alex X. Liu
• Office 2132 Engineering Building
• Office hours Mon, Fri, 4-5PM
• Open door policy feel free to drop by any time
• Course homepage http//www.cse.msu.edu/alexliu/c
  ourses/825Spring2007/
• Email list Cse825-spring07_at_lists.cse.msu.edu

3
General Course Infomation

• Prerequisites
• Computer Networks
• Operating Systems
• Programming Languages
• No textbook, but papers
• Warning You are not allowed to break into
  machines that are not your own.
• Grading
• Projects 60 (proposal 5, report 45,
  presentation 5, poster 5)
• Final exam 20
• Homework15
• Participation5

4
Projects

• Individual project or team project
• Topics
• How?
• 1. Choose a topic that you feel exciting.
• 2. Read papers. The goal is to UNDERSTAND the
  topic.
• 3. Think of a problem that is important and that
  has not been addressed (enough). DO NOT propose a
  small fix to a previous idea. Think big!
• 4. Think of your own idea to solve the problem.
  Be bold! Be creative!
• 5. Develop your idea.
• 6. Valid your idea.
• 7. Write down your idea.
• Goal a conference paper.

5
Project Deliverables

• Project proposal, due February 9
• Project report source code, due April 22
• Presentation
• Poster
• You need to begin to think about your project
  topic, team, etc.

6
Homework

• Writing paper reviews using your own words
• What's the problem that the authors are trying to
  solve?
• Why previous solutions are not good enough?
• What's the solution that the authors are
  proposing?
• Is this solution perfect? If not, what are the
  weaknesses of this solution?
• How will you solve the problem after reading this
  paper? (Be bold in answering this question.)

7
Topics

• Cryptography Basics
• Basic Security Protocols
• Authentication
• Passwords
• Cookies
• Certificates, PKI
• SSL

8
Topics

• Phishing Attacks
• Web Security
• Firewalls
• IPSec, VPN
• Intrusion Detection Systems
• DoS Attacks
• Anti-SPAM

9
Topics

• Operating System Security
• Database Security
• Software Security
• Buffer Overflow Attacks
• Virus, Worms
• Privacy Perserving Data Mining
• Language-based Security

10
Topics

• Virtual Machine Security
• Cell phone security
• Electronic Voting Systems
• Wireless Security
• Sensor Network Security
• RFID Security
• Tunnel Detection

11
Why study security?

• People attack systems and do damage
• Why do they do it?
• Financial motivation
• Religious/political motivation
• industrial espionage
• Bored teenagers
• Angry employees
• How do they do it?
• Physical access, network attacks
• Exploit vulnerabilities in applications and
  security mechanisms
• Whom do they attack?
• Banks
• Government agencies
• E-commerce web sites
• Hollywood
• Universities (play ground)

12
How big is the problem?
CERT Vulnerabilities reported
http//www.cert.org/stats/
13
Attacks and Losses

• In first half year of 2005, 237 million network
  attacks launched
• IBM Global Business Security Index Report
• In 2005, U.S. businesses lost 67.2 billion
  dollars due to attacks
• 2006 Computer Crime and Security Survey by FBI
  and CSI

14
Why does this happen?

• Lots of buggy software...
• Some contributing factors
• Few courses in computer security
• Programming text books do not emphasize security
• Few security audits
• C is an unsafe language
• Programmers are lazy
• Legacy software (some solutions, e.g.
  Sandboxing)
• Security mechanisms are difficult to use
• Security is expensive and takes time
• Insider threat
• Easy to hide code in large software packages
• Difficult to discover hiden malicious code
• strict development rules and physical security
  help

15
Human Subjects

• Social Engineering
• There are attacks that do not use computers, use
  human instead.
• Catch me if you can
• Call system administrator
• Dive in the dumpster
• Online version
• send trojan in email
• picture or movie with malicious code

16
Example Security Incident 1

• Rob Harris case - slot machines
• An insider he worked for Gaming Control Board in
  the Electronic Services Division in Las Vegas.
• Malicious code in testing unit
• when testers checked slot machines
• downloaded malicious code to slot machine
• was never detected
• special sequence of coins activated winning
  mode
• Caught when greed sparked investigation
• 100,000 jackpot

17
Example Security Incicent 2

• The Slammer worm penetrated a private computer
  network at Ohio's Davis-Besse nuclear power plant
  in January 2003 and disabled a safety monitoring
  system for nearly five hours
• The Slammer worm entered the Davis-Besse plant
  through an unsecured network of an unnamed
  contractor, then squirmed through a T1 line
  bridging that network and Davis-Besse's corporate
  network. The T1 line was one of multiple
  ingresses into Davis-Besse's business network
  that completely bypassed the plant's firewall,
  which was programmed to block the port Slammer
  used to spread.
• Luckily the plant was not operating at that time.

18
Example Security Incicent 3

• Breeders cup race
• Upgrade of software to phone betting system
• Insider, Christopher Harn, rigged software
• Allowed him and accomplices to call in
• change the bets that were placed
• undetectable
• Caught when got greedy
• won 3 million