Adversaries:
- All are bad, some have ‘good’ reasons:
- Government-funded agencies
- e.g. NSA, GCHQ, GRU
- Some of the most sophisticated adversaries
- Government-funded agencies
- Botnets (i.e. infected machines)
- Malware developers
- Cashout (selling data, access to machines) and ransomware gangs
- Locked-in products (e.g. printer cartridges, BMW heated seats)
- GM: expects to make more profit from software than cars
- Everyday aggressions (e.g. hate campaigns, cyberbullying, abuse)
Targeting individuals is harder than targeting everyone:
- Targeting individuals may require hardware access
- Target everyone and filter (e.g. PRISM, Tempora programs)
Psychology Aspects
The User
Education:
- Ability to recognize an attack (e.g. phishing, infected email)
- Ability to install and maintain security tools (on a limited budget)
- Ability to make informed choices (with limited knowledge)
Ability to detect deception:
- Anchoring effect: the first details have a disproportionate impact on people’s judgment
- Availability heuristic: inference in based on examples we know of
- Origin of danger: skepticism about things we have heard vs. seen
- Biased representation: bigger consequences lead to increased fear
- Experience vs. education: lived experiences have a bigger impact
Behavioral Economics
Present bias and hyperbolic discounting:
- From ‘update now’ interruptions to ‘pick a time’ reminders
- Some people would always click on ‘not now’ or ‘cancel’ and not install important security updates
- Privacy paradox: people claim to care about their privacy, but at the same time give up a lot of information online to access free services
- In the physical world: signing up for membership cards and giving personal details to get discount
Defaults and ‘choice architecture’:
- Opt-in vs opt-out
- e.g. becoming an organ donor in NZ is an opt-out process
- Default settings to your benefit
- Granularity of configurations to overwhelm users
- Facebook privacy settings
- GDPR cookie opt-out settings
Privacy control settings give people more rope to hang themselves
George Loewenstein
Intentionality and cognition
- Attribution error: attributing error to personality, rather than context (but vice-versa for yourself)
- Affect heuristic: emotions taking over decision-making
- Halo effect: impersonating trusted and renowned brands
- Cognitive dissonance: people do not wish to admit that they have been tricked, even in the face of evidence
- Recency effect: so much information that you ignore most of it
- e.g. warnings/alerts with too many false-positives: people start ignoring them to the point that true-positives get ignored
- Risk thermostat: increased safety pushes more risk elsewhere
- e.g. seatbelts leading to people driving faster and causing more accidents
Education must be fit for audience:
- How effective is it to teach users to identify phishing by URL?
- Can you teach that to your grandparents?
- Curiosity and thrill of risky behavior
- e.g. UK teenagers in DDoS attacks
Deception Techniques
Common sales techniques:
- Reciprocity: the need to return favors
- Social proof: the need to belong to a group; the smaller, the better
- Authority: more likely to obey (purported) authority figures
- Scarcity: fear of missing out
Stajano and Wilson’s 7 principles of scam (2011):
- Distraction: like with magic shows, misdirect the audience’s attention
- Social compliance: not questioning authority figures as much
- Herd principles: follow the flow
- Dishonesty: the deal is good because it is borderline unethical/illegal
- Kindness: linked to reciprocity sale techniques
- Need & greed: find what you want and make you dream of it
- Ask questions about what the victim wants rather than trying to directly sell the product
- Time pressure: e.g. ‘only 2 more seats left’
User Credentials
Passwords
Passwords:
- The most common authentication mechanisms
- Rules for ‘good’ passwords
- Its transfer and persistence must be carefully looked at
- Passwords can sometimes be accidentally stored in log files
- Generated passwords and password managers lower the chance of ‘cross-hacking’
Advanced tools to safely reuse accounts:
- Single sign-on
- Intrusion alarms for stolen credentials (e.g. haveibeenpwned)
Password recovery is not just a ‘send a magic link’
- Scope is important (e.g. website with non-sensitive data, versus a bank)
- What happens to your security questions if an account is pwned?
Good password practices:
- From local systems to openly accessible ones
- UNIX used to store encrypted passwords in
/etc/passwd
- UNIX used to store encrypted passwords in
- The choice is often between choosing something ‘easy’ or writing it down
- Password managers may sometimes not be possible (e.g. organizational accounts)
- What is ‘easy’ for you (and not for a guesser?)
Memorability (Yan et al., ‘Password memorability and security, empirical results’, 2004):
- Asked participants to generate passwords:
- Select your own guidelines (e.g. character classes, length)
- Passphrase-based (e.g. ‘correct-horse-battery-staple’)
- 8 character randomly chosen (with a week to memorize)
- No significant difference in memorability between the three techniques
- Found the passphrase was the most secure
Guidelines and real life:
- NIST previously recommended frequent password changes
- Still widely followed by auditing organizations, despite new organization
- 40% were guessable from prior passwords (e.g. adding month/year, or an incrementing number, to the end of the password)
- Organizational threats:
- Envelopes stuck to machines/under the keyboard
- Non-resettable default passwords
- Or forgetting to change the defaults
- Non-encrypted passwords
- Countermeasures to social-engineering threats
- No more links (e.g. emails from banks); just ask users to visit the website
- Customer education and phishing warnings (must be explicit)
Non-phishing Attacks
(Automated) systems to get illegitimate access to a particular account:
- Brute forcing guesses
- Potentially informed by prior data links
(Automated) systems to get details of all accounts:
- Attempts to penetrate a server and steal a password file and key
- The adversary can then recover the encrypted password offline
(Automated) systems to block accounts:
- The service may have systems may to block accounts or trigger a login timeout after some number of failed attempts
- Denial of service attack
If your encryption, OS and network security mechanism are trusted, it comes down to two factors:
- Password entropy
- User psychology
Security and Organization
Security players:
- Red team:
- Offensive team
- Penetration/black box testing
- Social engineering
- Blue team:
- Defensive team
- Damage control
- Incident response
- Operational security
- Purple team:
- Improvement facilitation
- Data analysis
Types of malware:
- Virus: spreads via user interaction
- Worms: spreads automatically
- Trojan: malware disguised as legitimate software
- Rootkit: malware that can gain root access, often implemented very low in the software stack
- Spyware: monitors a user’s activity
- Blended threats: malware using multiple attack types
- Remote access: gaining access to TeamViewer/AnyDesk/VNC/etc. instances
- VNC: attackers replaced executable on official distribution website with version containing malware
- Adware: malware which maliciously feeds ads
- Exploit kit: tools to automatically deploy and manage exploits
Knowledge Bases
- Directory of potential attack techniques, per type of operations systems
- Grouped into 14 categories (e.g. reconnaissance, privilege escalation)
- Each technique contains:
- Examples
- Potential mitigation
- Detection methods
Tactics:
- Reconnaissance: gather knowledge about the target system (e.g. IP/port scanning)
- Resource development: build the capability to launch attacks (e.g. create fake accounts)
- Initial access: techniques used to gain first access to a system
- Execution: running the payload on the compromised system
- Persistence: ensuring the payload stays on the compromised machine
- Privilege escalation: gaining higher-level permissions on the compromised machine
- Defense evasion: evading detection by security software/staff (e.g. renaming, spoofing of parent process ID)
- Credential access: gaining credentials of legitimate users (e.g. MITM, brute force, phishing)
- Discovery: gathering information about the inner workings after gaining access to aa system
- Lateral movement: gaining access to other systems
- Collection: collecting data to exfiltrate (e.g. passwords, keys, financial data)
- Command and control: infect a machine to run unwanted processes
- Exfiltration: transferring collected data/knowledge from the infected systems to the adversary
- Impact: interrupt, manipulate, or destroy infected systems (e.g. encrypt data, wipe, DoS)
Assignment
- 3/4 assignments are in small groups of 2-3
- Do not work with people you have already worked in previous assignments (in this course)
- Group registration closes one week before delivery date
- Two weeks for the assignment 4
- You cannot submit your assignment if you miss it, and will get zero marks
- All assignments have a grace period of one week: can submit up to one week after the submission date with no penalty
- No way to get an additional extension except under special circumstances
- Must apply before the official submission date
- No way to get an additional extension except under special circumstances