Tut 8

Ghost

This weeks case study was about the stargate ghost. The Scenario is:

Suppose you are the friendly Major M from the base who can see the alien A but who cannot see the invisible man X. Q: What would you M do to get from X his report on the Alien's (A's) planet?

Firstly i’ll make a few assumptions; first there is no language barrier from X->A->M, that X and M have a strong repertoire with each other.

This problem mainly seems to boil down to an authentication problem, X needs to convey something to A, that only M and X would know, this would likely need to be done severel times with many different pieces of unique information.

Once Authentication is established then the X can continue to talk to A and then talk to M, however a big problem is that if authentication is established then A can use this to his advantage to manipulate the information coming out, so X needs to develop a system in which he sends information periodically and then if A betrays him and miscommunication, X can feed him a false piece of information that will allow M to know that A is lying.

Security Everywhere

Bulgarian Hack

Recently a hack of the Bulgarian tax revenue office, has effectively leaked private information of every single adult Bulgarian of roughly 7 million people.

The details leaked by the hacker were about 5 million peoples social security, bank and salary details.

The hack is attributed to a 20 year old Bulgarian, who is currently being prosecuted. I couldn’t find any sources that actually detail how the hack was done, just that it was a database that was breached

It’s kind of crazy that this hack was actually able to happen, such a large amount of information was able to be stolen soo easily. It really goes to show how things many people put their faith into can be broken really easily. It makes me wonder if this types of breaches have to us in australia and no one knows because the nobody knows its happened.

Tut 7

Snoop

There were several pre readings that i skimmed through, they had to do with data collection by the government and associated pros and cons with the government taking it.

Within our actual tute we were split in half, half for all government surveillance and half against, a lot of the discussion felt as if some of us on the government side were just playing devils advocate but i think its still important to get information from both sides when making your decision. I’ll list both sides of the arguments and the give my own personal opinion.

Pro Government Surveillance

To start off with, the government already collects information on you, with you voluntarily giving up the information (census, taxes, social media), so its evident that most people aren’t really against the government having you’re information.

Why does the government need your information, is the question that's asked when dealing with surveillance. The most common answers to this usually revolves around protection of the people, information allows the police/government to better understand what, how, when and where criminals are doing illegal activities, including terrorists which have become a larger threat within the eyes of the government and many of the people.

Generally good people would be fine with handing over information for they have nothing to hide, and only those who are bad/have something to hide will be naturally opposed to the government collecting information.

A Large pool of information on people would also make convicting felons a lot easy as it provides a large amount of evidence that can be utilized.

Information would also help the government in making its decisions, being able to gauge the peoples general feeling towards policies/law/government.

Anti Government Surveillance

The biggest point from the anti position is that we as people should be allowed to have our own privacy, the government trying to gather as much info as possible on us is a breach of our rights. We should be allowed to keep things away from the government, even if it’s not nefarious or harmful we should still be allowed to decide who gets to know something.

Even if our information doesn’t incriminate us under the current governmental system, there is a possibility our information may reflect negatively on us under a different system and therefore cause us to be putting ourselves at risk.

As people we also shouldn’t take the government as being 100% perfect, as its run by people and people have problems the government will therefore have problems and therefore giving them access to private information isn’t good.

Another problem is that our information must be logged somewhere, and this place can’t be perfectly secure, so even if we are okay with the government seeing our information (which we are not), there is potential for people who don’t with our information getting access to it, either through some sort of hack, leak or insider.

Some specific problems in today’s society, is that of deep fakes, if our face/appearance is logged by the government then some one with that can cause us to appear to say/do something we wouldn’t.

My Opinions

Generally i’m pretty unconvinced that the government needs a large amount of information of us. I’d generally prefer for them to not have my information but i can understand why they think they need it. My biggest fear is my information being leaked/hacked by someone with malicious intent, with which could ruin my life. The extent to which i’m okay with the government having my information is fairly vague for me, and would require deep thought as i do think certain information can be useful. Perhaps information shouldn’t be tied directly to a specific person or even group. In general i think more people should be careful of the information that they just voluntarily give up.

Tut 6

Safer

The tutorial was mainly concerned with computer and internet related attacks we might suffer or inflict if we were to enter into a war with some superpower like Russia. In my own reading i found:

attacks related to spying like intercepting all information to and from the country, attacks of sabotage, that is attacking something that is vital to the country that may cause mass problems Propaganda, convincing the people that there government is wrong, or convincing the people of our country we are right.

Within the tute, we talked a lot of specific types of attacks and how they would be implemented.

Some of the ones that stuck out to me where;

Attacking infrastructure or important systems to the government, to cripple either cripple the economy or cripple the country as a whole. Taking down an important system within the country can lead to people being angry as well as societal shutdown and when you are engaged in war splitting focus can be extremely detrimental

There were talks of using a Denial-Of-Service attack, which is basically an attack that makes it very difficult for the intended users of a system to actually use. Doing this would slow down efforts made by the other party as well make them split focus as above.

Propaganda was talked a lot, especially things like fake news, manipulating social media and targeted propaganda, the usefulness of propaganda is that its easy to hurt a country that is hurting itself, and propaganda achieves this by causing problems within the structure of society.

Another one discussed was the idea of hiding ourselves by framing another country. digital attacks can be hard to track and can be made to look like they come from a specific place. Also many countries seem to possess their own code ‘dialects’ which can be mimicked to make it appear as if someone else is attacking.

Overall with the continuing of wars in todays time, it wouldn’t surprise me to see this type of warfare become a lot more prevalent, assuming they aren’t already as its hard for a citizen to actual if these attacks are happening. Warfare may become invisible until the ordinary observer as countries fight using ‘invisible’ methods. We are seeing evidence of this today (trump election), and will probably see it more in the future.

Tut 5

Johnny Cab

I couldn’t find any pre reading for this tutorial.

this week, we were split into small groups and each given a piece of paper to discuss. Ours outlined a situation like so: You are the CTO of a company that plans on investing into self driving cars, talk about the risks and how you would pitch whether it should or shouldn’t be done.

Our group came up with some of the following things we want to keep safe:

Reputation of the company, Intellectual property, Information/data on the cars and drivers, ethical problems (who can and can’t be in a self driving car).

Some of the problems we saw with implementing the self driving cars were:

Potential traffic risk, moral questions (trolley problem), hacking, blame for resulting problems.

Our group was fairly focused on the negative impact a self driving car may have on society as well as the risk to company itself. After discussing and talking with other groups it was revealed they were given a different prompt, basically the same except from a governments perspective.

In the open discussion the groups from the government were more concerned and focused on impact on people as a whole more so than us as well as the policy/legislation/rules that would be necessary to have self driving cars. All the groups did agree there were risks involved with them as well as agreeing to the many ethical and moral problems that may be faced, but those on the company perspective were looking through these from a different lense.

This tutorial was pretty interesting and fun. It was funny how easily it was to distinguish the groups from each other and sort of highlighted a modern ‘problem’ in that companies and governments are a lot of time on a different page and not concerned with the same things but may still embark onto something, with each side having their own agenda that may not be communicated to the otherside.

My personal opinion on self-driving cars is fairly positive, they are pretty good utility and are generally more convenient. My only real problems with them are the fact they aren’t necessarily “green” which i think is a more important issue, and it perhaps takes away the enjoyment some have in driving.

Passwords

The passwords talk was really interesting and made me rethink my own password choices and the passwords of others that i know (family members, friends).

I did some of the things the group recommended to test my passwords, and found that most of them weren’t that great, and some were ok.

I particular felt like the talk spoke to me in regards to the fact at how frustrating password creation is, in that most software/websites require a limited set of how your password should look, which leads to passwords being pretty bad in terms of security.

I also feel that something most places focus on is the ‘strength’ of your password, and while this is important i think more places should focus on the ‘uniqueness’ of your passwords, because if all your passwords are the same once you’ve compromised one you’ve compromised them all.

Developing unique passwords is not only difficult to do, but it’s also difficult to actually remember. After doing a little looking myself it seems the best way to solve the aforementioned problem is with a password manager, which makes all your passwords both secure and removes the need to remember them, bar one ‘master’ password.

Tut 3

Doors

The pre reading for this tute was on several different aircraft incidents in which a pilot was either locked out of the cockpit by the mechanism or his co-pilot and something went wrong because of it.

My thoughts before the tutorial were that these incidents were that they demonstrated the big problem of insiders as well as the problem of who can we trust. It also showed a fault in the actual mechanism behind the door and perhaps the process behind this should be altered in someway

The question discussed in our tutorial was after reading these incidents what would be our recommendations to change things.

In order tackle this we have to ask what would we want to change, and why.

For me it seems we need to have some way that doesn’t rely on both pilot and co-pilot being “good guys” and that there is someway override that if one goes rogue. My recommendation for this problem would be to have some sort of override switch to air control, so that if a pilot is attempting to lockout someone to do something bad it can be mitigated more easily.

Another problem to be fixed, is that pilots get locked out because they need to leave to use the restroom or other things. A way to better stop the need of pilot to leave and therefore increase the chance things go well is too better provide the cockpit with the things the pilot will need.

We could theoretical have a stronger reliance on a computer navigation, to therefore stop the chance of humans doing bad things, however these computers would be programmed by humans and therefore transfer the human error onto it. Perhaps a better choice would be for air traffic control to be able to take control remotely, but this then adds a new vulnerability to the system.

In general we talked about beefing up the security to the cockpit, mainly to deal with threats outside of the crew. This would perhaps be a 2 Factor Authentication type measure, or using an ‘airlock’ style door, that only allows one person at a time to be able go through.

Overall i think there are many unique problems posed in this question and many solutions. Implementing these solutions may be impractical as it would require a large amount of technical engineering as well as rolling them out into current airplanes. There is also the problem that these new measures will still likely create there own new set of vulnerabilities. It would be good to see talks of change, as change generally tends to improvement and makes the lives of the attackers slightly harder.

Tut 4

Secret

There was no pre reading for this tute.

This week we came in and were given the question in an exam like situation. It detailed that we were the heads of security of a place working on a secret project and were to outline what we needed to protect and how we were going to do it.

For me what i listed as being the things to protect were:

Access to Machines - Access to computers, servers and any other technical application. If this was not protected getting information could be incredibly easy for someone.

Access to the Building - Accessing the building opens up an attackers ability to get what they want, by restricting the access to the building we restrict the access of the attacker

People - We need to protect the people who are legitimately inside the building working on this project, if they are compromised then attackers can extract the information they want

Data/Information - The data to the company is the most important part of the project, so protecting the data is fundamentally, this is not only digital data but also physical paper copies. Not only would it be data dealing with the project but also data regarding the project in any way

Design Plans - Obscuring the actual layout/location of the building may be security by obscurity but it can still help in deterring out attackers, or making their job a bit harder, which is our defender as a goal.

So from the things we stated we needed to protect we were then meant to write about what we should do to protect them.

For me my 3 main things were:

1. Creating a strict access policy as well as strong security personnel with the ability to ID everyone on grounds. This policy could involve some form of 2 factor, involving a badge, facial recognition, unique passwords, etc.

2. Building split into subsections and small areas that can only be accessed by the people who are required to be there. These areas should have limited reliance and communication with each other, this is so that if one of the areas is compromised then it doesn’t necessarily compromise other areas.

3. Obscuring where the building is, either through having it hidden in a normal looking building or underground. By hiding the building its less likely to be found and therefore targeted by hackers, the problem with this is obviously once its discovered it forever known.

This is very much a real world problem, where companies/countries want to be able to be hidden and unbreakable, yet it seems to my knowledge that they are usually open to many types of attacks, especially those of a social engineering variety. mitigating these attacks requires a lot of planning and thought, and requires more depth than three main recommendations, in my opinion the security of the building/facility/information should be the foundational groundwork for which its built on, ensuring that each step is carefully protected.

Something Awesome

CTF/WAR GAMES

I plan on doing many CTF challenges located on the web, for each one i intended to create a short description of the puzzle, my process in solving it and useful security concepts/ideas that i learned.The main site ill be taking the challenges from are http://pwnable.kr which has four main categories of difficulty, ideally i would like to complete all the challenges provided aswell as others from different sources.

Planning

Each week I plan on completing 7-10 challenges depending on difficulty, this is roughly 1-2 a day, each will have there own write up detailing the solution/process, its applications in real life and other interesting pieces of information learned.

Extension

To extend this i would like to create ~5 of my own CTF challenges, and hopefully have people within the course solve them.

Marking Criteria

PS - Small (<5) challenges done per week, low quality write-ups ups that lack some insight and information, no extension

CR - 5-6 challenges per week, write-ups are have some good information and good applications but nothing beyond, no extension

DN - 7-9 challenges per week, write-ups are detailed and offer good insight, extension partially attempted

HD - 10+ challenges per week, detailed write-ups with interesting applications and well documented information that goes above and beyond, extension fully completed

Tut 2

Case Study 2: Houdini and Spiritualists

Harry Houdini the famous magician was very anti-spriritualists, that is anti people who claimed to be able to speak to dead people. He would attend seances of many mediums in attempt to discover their tricks and later expose them as frauds. The most famous example of such a case was of Margery, one of the most renouned spiritualists and was in being considered for a monetary prized for someone who could show they had supernatural gifts. Houdini attended her seances and did much of what he usually did; try and out her as a fake. Most people would say he was successful as she never did end up receiving the monetary prize and lost some of her close believers.

In relating this story to security engineering, we can look at the mediums and houdini as representing the defender and the attacker respectively. Houdini used an attacker mindset, he went into seances looking cracks or problems in the way the medium/defender conducted themselves, and once he established a problem with the medium it discredited them entirely.

If the mediums had thought like an attacker and were able to patch up the problems in their ‘performances’ they would have been better protected/safe agaisnt houdini. The mediums were also believed that once a trick was done, that if houdini didnt have an immediate answer he would let it go, but as an attacker Houdini would never stop pushing to find problems he could exploit

In the actual tute we discussed how could Houdini show them all wrong from the afterlife, we were basically devising an encryption method in which would be incredibly hard to crack for the medium and the only way they could no the answer would be if they could actually communicate with the dead.

Security Everywhere

Doors

Not a specifically about something news worthy, but I’ve been thinking about the security of UNSW buildings.

Walking around campus it seems extremely easy to get access to a large proportion of the rooms and buildings on campus, i’ve noticed lot’s of offices and rooms are very much just kept open, as well as computers not being logged off.

It seems to me that if someone wanted to steal from the uni, it would not be that difficult as people just seem to accept that if you are there you are there for a valid reason. Also these problems are accentuated at night time, when UNSW is still very open but with just less people around.

I’m very curious as to if how common it is for people to just walk into a room or office and get away with stealing something.

Something tangentially related is that i know of some people who keep their houses unlocked when they leave for a small amount of time, assuming that they won’t be stolen from (they usually aren’t) or they’ll catch them in the act. To me this seems silly as if an attacker is going to steal from you they usually do it very quickly.

Tut 1

Case Study 1: Deep Water Horizon

This was an offshore drilling rig, that in 2010 several problems lead to a massive explosion on the rig and a large spill of the oil being mined. From reading/watching the sources, what caused this was a result of many different points that broke causing the entire system to fail. Some of the main problems that lead to the catastrophe was the lack of regulations when the initial rig was put in place, this meant there were certain oversights (improper excavation of the earth/mud and improper testing of the drill), there was also a lack of precautionary measures in place in case gas was ever on the rig (no sensors), however the biggest problem was the blowout preventor (BOP). The BOP was intended to cut the pipe if any problem were to arrise (like gas being in there) however due to failures in the detection protocols the BOP failed, even then the BOP had several other things that would trigger (like no power on board) however this still did not trigger, because the only other way the BOP could only be activated was via a manual override (i.e going to the ocean floor and triggering it), this allowed immense amounts of oil to spill and gas to come to the rig, the gas on the rig which was undetected due to no detectors on board was able to ignite and explode.

The catastrophe of Deep Water Horizon, can help us understand things in security. The biggest reason the system (rig) failed was because many of the components were so dependant on other components that it caused a wave of problems, if only one thing hadnt gone wrong it might not have happened. We should try and develop systems that dont have massive dependancy on each other and can work even if some failures happen.