Return to book
Review this book
About the author
Introduction
1. Access Control
2. Authentication
3. Biometrics
4. Crypto Engineering
- 4.1. Software Crypto
- 4.2. Hardware Crypto
5. Malware
- 5.1. Virus
- 5.2. Worm
- 5.3. Trojan Horse
- 5.4. Writing Virus
- 5.5. Rootkits
- 5.6. Anti-virus software
- 5.7. Inside popular software
6. Protecting Clients
7. Security and Usability
- 7.1. User Interface (UI)
- 7.2. Passwords
- 7.3. Cognitive Experiment
- 7.4. Insider Attacks
8. Secure Programming
- 8.1. Buffer overflow
  - 8.1.1. Buffer Overflow Protections
  - 8.1.2. Exploit Buffer Overflow
- 8.2. Secure C practice
- 8.3. secure-sensitive program
9. Physical Security
10. (Web Service) Architecture
- 10.1. Contents and Scripts
11. Confinements
- 11.1. chroot
- 11.2. JVM
- 11.3. Network Identity
- 11.4. Virtual Machine
- 11.5. Sandbox
12. Program Structure
- 12.1. Case study: 4.3BSD FTP Daemon
- 12.2. Case study: mailer
- 12.3. Case study: Web Browser
13. Security Analysis
- 13.1. Construction vs. Destruction
- 13.2. Analyze individual programs
- 13.3. Analyze overall system
- 13.4. Software Engineering Code of Ethics
- 13.5. Tools part 1: OS system calls
- 13.6. Tools part 2: fuzzing and more
- 13.7. Reconnaissance
14. The Internet of Things
- 14.1. Embedded Systems (Smart Devices)
- 14.2. Internet of Things Architecture
- 14.3. Case study: Thermostat
15. Logging
- 15.1. Loggin in practice
- 15.2. Log Incidents
- 15.3. Case study: PHP4 web server attack
16. After An Attack
- 16.1. Analyze a hacked system
- 16.2. Deleted Files
- 16.3. Monitor Intrusion
- 16.4. Conclusion
17. System Structure
- 17.1. Case study: build an e-commerce
- 17.2. Network Operation Center
- 17.3. Router Link Weakness
- 17.4. Remote Access
- 17.5. Question: store credit card number in database?
- 17.6. General Principle
18. Exams
- 18.1. Fall 2014 Midterm
- 18.2. Fall 2013 Midterm
- 18.3. Fall 2010 Midterm
- 18.4. Fall 2008 Midterm

Security Architecture and Engineering

After An Attack

Sometimes bad guys win

What to do if a machine is compromised?

How to assess the damage?

How to recover?

E.g. 2014 Sony Pictures were hacked by North Korea as the government isn't pleased with one screened pictures. TODO: Find news link

How is a machine compromised?

0-day attacks? Attacks that are never seen before. $\rightarrow$ not most usual.
Carelessness? (biggest case) Hackers with specialized knowledge creates phishing emails to obtain information.

Spear phishing (TODO): hacker fakes information based on your background, making the fake information sound more convincing.
Insider attacks? It's very hard to prevent (Snowden case). Combine insider attack with phishing emails, someone inside sends tailored fake information to obtain access from you, is even worse.

Insider case study: 1990s, one guy wants to still passwords from top executives. He sets up phone modem, and try to reroute phone modem from company to local phone modem.. Eventually he got caught.

Damage Assessment

What has to be thrown out?
What can be saved?
How did the bad guys get in? Generally, it's not possible to cleanse compromised system. Usually reformat your disk and reinstall. Today even that's not enough, NSA has demonstrated that it can hack into MacBook batteries (modern PC batteries have CPUs).

Why attacks happen?

Previously, hackers attack systems to show off.

Shut down networks, cause it's fun!
Gradually, hackers attack systems for money (hacking for profit).

Don't shut down networks cause it's not going to make money. Steal valuable information. Hackers got paid to launch attacks.
Recently, state governments and organizations launch large scale attacks (Ex. China-US cycber war; Target, Home Depot credit card system compromise).

Hidden Back Doors

Cron jobs
Programs buried in someone's .profile
Modern systems have many ways to launch programs at boot time.
Trojan horses in commands likely to be executed by root.
Many more!

Self-repairing Malware

Malware contains two or more programs with back door.
Each malware check the other malware's presence.. If not exist, download the other one.

Bots and Boats

Many infections these days turn machines into "bots".
Modern bot software can upgrade itself.
Bots can download different payloads -- spam engines, DDos engines, keystroke loggers, etc.

After attack of compromised machine..

The attacker has access to all network-accessible resources of compromised machine.

Home Depot incident: attackers got into home depot main server, then they found out what are the servers for home depot point-of-sale system.

Attacker can launch a second attack after first attack succeeds: send phishing emails to internal staff to gain more information.

Backups are your friend

Back up your system frequently.
Make sure you have a 0-day backup, from before the system went live.
Recover your data, not the program, from backup.
If you have good backups, you could restore to another machine and compare files $\rightarrow$ very time-consuming.

Tripwire

Create a cryptographic checksum of each file.
To detect changes, the program re-calculate the checksum.
Easier said than done.

Can you trust master's checksum? Can you trust the software that calculates the new checksum?

Linux case study:

A (linux) loadable kernel module intercepted file system operations.
If pid 1 tried to open /sbin/init, it got the Trojan horse version.
If any other process pid open /sbin/init, it got the real version.
Tripwire wouldn't detect this substitution!

Assurance

It's not just fixing things, it's knowing that you've fixed them (a very difficult problem).