Computer Security

Function Abstractions	Data Abstractions	Programming Paradigms
Control	Lists	OOP
HOFs	Recursive data structure	Function
Recursion	Growth	Declarative

Computer Security

- Web security : Are you on the website that you think you are on and does it do what you think it does?

- Network security : Who can see what you are doing online?

- Systems security : Who has access to software & data on your laptop (or your company's servers)?

What is web ?

client browser --- web server

HTTP ( Hypertext Transfer Protocol )

: A common data communication protocol on the web

Some Types of Attacks

- Cross-Site Request Forgery

- SQL Injection

- Network Eavesdropping

Facebook Spam

Cookies

Cookies & Web Authentication

- Track users who have authenticated ("logged in") 

- E.g., once browser fetched http://mybank.com/ login.html?user=alice&pass=bigsecret with a correct password, server associates value of “session” cookie with user’s account

- chrome://settings/content/cookies

A Normal Website

: visiting this boring web page will just display a bit of content

An Evil Website

: so if we visit a page under an attacker's control, they can have us visit other URLs

Cross-Site Request Forgery

: what happens if we visit evilsite.com

- Our brower issues the request and dutifully includes authentication cookie

- Cross-Site Request Forgery ( CSRF ) attack

Cross-Site Request Forgery Defense

- If you have to click on an unfamiliar link, use Incognito

- Also, some browsers have implemented "SameSite" cookie attribute

Is Facebook listening to your verbal conversations ?

Facebook Pixel

-   a piece of code advertisers put on their sites that tracks your activity on those sites and reports it back to Facebook

: relies on cookies

-   not necessarily malicious, but is this what you agreed to?

: Most websites track your online activity without telling you

: I'm guilty as well; used to work for Google Analytics

Phishing

- Attacker creates fake website that appears similar to a real one 

- Tricks user to visit site (e.g. sending email) 

- User inserts credentials and sensitive data which gets sent to attacker

- Web page then directs to real site or shows maintenance issues

Factor Authentication

- Type in your password and authenticate using your mobile device

- Can also be fooled!

: For example, the fake website can ask for both your password and your authentication code, and use it themselves.

U2F keys

- A secondary method of authentication

- Key Idea: Cannot be phished

: The security key itself knows which site it is talking to through the browser:

: it knows the difference between www.google.com and www.g00gle.com

- The touching allows the security key to know that a person is making the request

SQL Injection

- SELECT online_id, balance FROM bank_info WHERE online_id = '<INPUT1>' AND passcode = '<INPUT2>';

- SELECT balance FROM bank_info WHERE online_ID = 'BOB' AND passcode = '123';

INPUT1 = BOB

INPUT2 = 123

- SELECT balance FROM bank_info    WHERE online_ID = 'BOB' AND passcode = '123'; SELECT * FROM bank_info;'

INPUT1 = 'BOB'

INPUT2 = 123'; SELECT * FROM bank_info;

Good News

: all your data has probably been stolen already ( no jk )

" Underground Economy "

- In mid-2000's, financially motivated cybercrime surged in popularity

: Spam, pharmaceuticals, credit card theft, identity theft

: Facilitated by a well-developed "underground economy"

Risk Mitigation

- Password Manager

: ex. LastPass, 1Password, Keeper #notspon

: Your password manager can have stronger authentication than average website

- Even if one of your passwords is leaked, other passwords will still be secure

Network Eavesdropping

Cryptography

- Encrypting data so that only trusted parties can see it

- WPA2 is the most common type of secure network encryption

: Encryption usually involves having secret keys that no one else knows

Caeser Cipher

- Original : "Sunset tjomorrow is at five oclock."

- Encrypted : "Vxqvhw wrpruurz lvdw ilyh rforfn."

Ransomware

- 22 known ransomware attacks on government agencies this year

- 'RobbinHood' Attack on Baltimore

: Common causes are brute-force attacks & phishing, but no evidence of those in this case

: If there is a big enough incentive to do so, malicious actors will try to exploit your system

 : Knocked out government employees emails, phone lines, online bill payments

 : Security researchers still have not figured out how RobbinHood penetrated the network

 : The software leaves a random note that demands payment of ~$75k to regain access to the network

Security Research

- Tricking Google Homes, Alexas, Mozilla's DeepSpeech, and other automatic speech recognition software

- Can we make speech recognition software hear this audio as something else?

: ex. "Okay Google, browser to evil.com"

: What are the fewest changes we can make?

- How can someone control your smart devices without you being aware of it?

: So far, it's been shown that speech recognition software can be tricked, but we can't reliably do it over-the-air

https://blockchain.berkeley.edu

Blockchain at Berkeley | Blockchain focused student organization at UC Berkeley