Sunday, August 30, 2009

Confidentiality vs. Availability of Information at UC Berkeley

In the past six months, The University of California at Berkeley has been the victim of two attacks on their information systems. The first attack targeted the main web server of the Graduate School of Journalism while the second, and more severe attack, targeted the Health Services databases. In the attack on the Health Services databases the social security numbers of 160,000 people were compromised.
The blame for these attacks cannot be laid upon the University which already spends roughly one million dollars each year to constantly improve the protection of information systems. The true cause of these attacks is that as a university, Berkeley is caught in the middle of the debate between the confidentiality and the availability of information. They have conflicting goals of keeping the information of their students, faculty, and additional employees safe, while fulfilling their purpose as a university to share information with the public. Shelton Waggener who is the associate vice chancellor for information technology at Berkeley articulated this dilemma when he spoke to Amy Brooks at the Daily Californian: "Universities are set up to disseminate data and information. That's what our mission is, so it becomes difficult when you blend public information and private."
Therefore, the debate becomes not how much money or time that Berkeley should spend trying to protect its information, but rather how much it wants to protect its information at all. The problem that arises is creating a system that is secure with confidential information while being completely open to the public with academic information that it wishes to share as part of its mission.
One approach that officials at Berkeley are pursuing to try to balance these goals while preventing future attacks is reducing the number of locations where sensitive information is stored. The University of Massachusetts experienced a similar problem when a laptop was stolen last year that contained the information of students from 1982 to 2002. This incident serves to illustrate the importance of limiting the number of locations where sensitive information is stored. Limiting that number will provide more security for confidential information while leaving the availability of academic information wide open.

Sources:
Brooks, Amy. "Campus Takes Steps to Boost Server Security After Breaches." The Daily Californian. 25 Aug. 2009. Web. 30 Aug. 2009..
Dayal, Priyanka. "Hackers Gained Access to UMass Info." News Telegram. 21 Aug. 2009. Web. 30 Aug. 2009. .
18 comments Posted by Luther at 8/30/2009 10:35:00 PM
Labels:

Beware of Free Laptops

The FBI is currently investigating the delivery of Hewlett-Packard laptops to governors’ offices across the United States. The laptops were not ordered by any of the offices, and there is a fear that there is malicious software in these computers. Thus far, West Virginia, Wyoming, Vermont and seven other states have been targeted. The computers were ordered online, and the governors’ offices billed, although they have not paid for them. After some laptops were successfully delivered and reported to authorities, more were intercepted en route to their destinations. Says West Virginia’s chief technology officer Kyle Schafer, "Our expectation is that this is not a gesture of good will. People don't just send you five laptops for no good reason." Meanwhile, HP is investigating the fraudulent orders.

These laptops are a cause for concern because of the belief that they may have been intended as a way to get inside the states’ firewalls and secured systems. As security becomes tighter and more sophisticated, hackers have begun to use different methods to get into a system. Recently, criminals have tried leaving USB devices containing viruses and malware outside of office buildings or around company areas in the hopes that someone would plug them into a computer to see what was on them. Many Windows systems automatically run such programs when they are inserted, and if the USB device contained malware, it might be able to infiltrate a system. The cost of the laptops ordered by criminals would be miniscule compared to the value of hacking into secure government databases.

In the present situation, the offices have handled the situation well by being aware that the laptops were not ordered by their office, not turning them on or connecting them to their network and informing authorities immediately. Similar procedures should be followed in future both by government and private companies. It is important that whoever is in charge of installing new computers into a system be aware of computer orders placed by their organization. In the case of USB devices that are found, they should never be inserted into a computer connected to a company network and be allowed to autorun. While it is tempting to see a free laptop or USB device as a lucky find or nice gift, it is important to be aware of malicious intent that may be hidden in this new type of Trojan horse.

Sources: McMillan, Robert. “FBI investigating laptops sent to US governors.” August 27, 2009.
http://www.computerworld.com/s/article/9137213/FBI_investigating_laptops_sent_to_US_governors?taxonomyId=17

Knezevich, Alison. “Police investigate mystery computer delivery to Manchin’s offce.” West Virginia Gazette. Aug. 24, 2009. http://wvgazette.com/News/politics/200908240818

10 comments Posted by TMGP at 8/30/2009 08:39:00 PM

Thursday, August 20, 2009

Welcome to the Course Blog!

This blog is designed for students in the Information Security course in Notre Dame's Computer Applications Program (CAPP 40260). You are expected to read this blog regularly and participate frequently. As discussed in the course syllabus, it will comprise a significant portion of your grade.

Blog Purpose

The blog has two purposes. First and foremost, it is a discussion venue for information security topics that we discuss in class or that you encounter in the real world. More on that in a second. I will also use this blog to disseminate information about the course, including assignments, lecture notes and other materials.

Accessing the Blog

There are two ways you can access the blog:

Blog Participation

Your participation in this blog is an important part of the course and will play a role in determining your grade. You'll need to create a Google account (if you don't already have one) to create or comment on blog posts.

Important note: any posts or comments you make on this blog will be readable by anyone on the Internet. This includes your roommates, significant other, future spouse, employers and the CIA. For this reason, I don't expect that you will use your real name on your postings. It's perfectly acceptable to post under a pseudonym (which you can set using the Display name option in your Google Account). Just send me an e-mail letting me know what pseudonym you've adopted so I can track your participation for grading purposes.

I expect that, during the course of the semester, you will make at least one contribution per week (excluding Fall Break and Thanksgiving week). Those contributions may either original blog posts or substantial comments on another student's blog post. Your participation grade will depend much more on the quality of your posts than the quantity of your posts. Here are some additional guidelines:

  • At least one contribution every month should be a full blog post (either a security review or a current event). This means that you should make at least 4 full posts during the course of the semester.
  • At least one of the posts you make during the semester should be a security review.
  • At least one of the posts you make during the semester should be a current event. Please do not create multiple full posts about the same event -- that's what comments are for!

The blog posts and comments will be an important part of our classroom discussions. Therefore, I expect that you will read each other's posts and comments before coming to each class session. Please be prepared to continue the blog discussion in the classroom.

Security Reviews

The goal of the security reviews is to help you develop a security mindset. To quote Bruce Schneier, "This kind of thinking is not natural for most people. It's not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don't have to exploit the vulnerabilities you find, but if you don't see the world that way, you'll never notice most security problems."

In your security review postings, I'd like you to choose a particular technology (it doesn't need to be high technology!) and write a detailed evaluation of the security features of that technology. Your evaluation should include:

  • A short (5-10 sentence) description of the technology with references, as appropriate.
  • Explain the security goals that you would have for the technology if you were the owner. Reference this in terms of confidentiality, integrity and availability. Include a description of the asset(s) in question.
  • Explain the goals you would have if you were an attacker attempting to exploit the technology. Explain this in terms of disclosure, alteration and denial. Include a description of the threat(s) that may exist.
  • Describe any vulnerabilities you might identify in the technology. Are there weaknesses that you can see that an attacker might exploit? Describe a potential attack.
  • Discuss the risk that you perceive is inherent in this technology based upon the asset's value, the threats and the vulnerabilities.
  • Make a recommendation to the owner of the system regarding the appropriate risk management strategy (or mix of strategies) they should pursue based upon your risk assessment. Recall that the possible risk management strategies are risk avoidance, risk acceptance, risk mitigation and risk transference.
I encourage you to choose technologies for these reviews that you encounter in your everyday life. As you go about your day, look at systems in a new way: think through the eyes of a criminal. If you were trying to exploit a system, what would you do?

A University of Washington course followed a similar process and came up with some good reviews. Please note that the professor for that course used a different format than I am requesting you use. Highlights included:

Important note: You are being asked to evaluate the security of the technology, not test it. You should not attempt to do anything that may be illegal or unethical.

Current Events

Current Events postings are descriptions of a current event in the world of information security. These might be stories about security incidents that occur during the course of the semester, announcements of security vulnerabilities, or other interesting security news.

When you make a current events post, provide a link to the original article. Include in your post the following details:

  • Brief summary of the event
  • Thoughts on the actual or potential cause of the event (depending upon what information is available)
  • Recommendations on how the affected individuals/organization should respond to the event. (e.g. in the case of a security breach, what should the company do? What should individuals affected by the breach do?)
Some sources you might consider for information security news include:

Some examples of good current events postings from a course at the University of Washington include:

Acknowledgments

This idea is not original. The concept of building a security mindset through class participation in a blog community, including the use of security reviews and current events discussions comes from Professor Tadayoshi Kohno of the University of Washington's Computer Science and Engineering Department. He used this concept in a Computer Security course at UW and Bruce Schneier wrote about it in a blog posting entitled The Security Mindset.
0 comments Posted by Mike Chapple at 8/20/2009 05:21:00 PM

Case Studies

In order to provide a broad exposure to information security issues and events, each studentis expected to present one case study to the class during the course of the semester. The case study topics we'll tentatively cover each day are listed below. If you would like to cover a topic not appearing below, feel free to suggest something new and we'll cover it in class.

  • 9/3: Therac-25 - Joe J.
  • 9/8: Monster.com - Kali
  • 9/10: Fake Subpoenas - Rebecca
  • 9/15: Norwegian ATMs - Ryan
  • 9/22: ChoicePoint - Morgan
  • 9/24: Epilepsy Foundation - Chelsey K
  • 9/24: Stock Spam - Will
  • 9/29: Lost Laptop - TMGP
  • 10/1: Hacking Jail - Ross
  • 10/8: Getting Hackers Through Their Targets - John C
  • 10/8: Phishing Scams - John F.
  • 10/13: Landline Hacking - Kyle
  • 10/13: Conficker - James

  • 10/27: Restaurant Credit Card Fraud - Ray

  • 10/27: Open Topic - Scott

  • 10/29: TEMPEST - Andrew

  • 10/29: Open Topic #2 - Ryne

  • 11/3: Open topic - Sadie

  • 11/3: Campus Security Breaches - Kelly

  • 11/5: Open Topic - Ty
  • 11/5: Open Topic - Dave


  • 11/12: Internet Explorer - Michelle

  • 11/17: Home/Work Location Pair Anonymity - David S.
  • 11/17: Open Topic - Brian

  • 11/19: Open Topic - Christian

  • 11/24: Open Topic #1 - Mike U.

  • 11/24: iPhone vs. Blackberry Security - Dominique

  • 12/3: Etrade Salami Slicing - Vinnie

  • 12/8: Open Topic - Tom

  • 12/10: Open Topic - Ryan

The topics above are linked to supporting materials, where available. You may need to do additional research to provide enough material to fill your class discussion time. Your talk should be about 10 minutes long and cover the following items:

  • What happened?
  • What is the root cause of the event?
  • What would you have done differently?

Please select a topic by adding a comment to this blog post. First come, first served

26 comments Posted by Mike Chapple at 8/20/2009 05:13:00 PM
Subscribe to: Posts (Atom)