Security
Chantal Banga, s4545176
December 2020
Lecture 1 - Intro
Security
Freedom from, or resilience against, potential harm or unwanted coercive (ged-
wongen) change caused by others.
Beneficiaries of security
• Individual persons
• Social groups
• Objects and institutions
• Ecosystems
Security vs. Safety
• Safety: against (unintentional) accidents or disasters
– Anticipate what can go wrong
– Also the unexpected
– Forces of nature: tsunamis, fire, biohazard, flood, polar bears, etc.
– Bad things happening: nuclear accidents, panic, power outage, traf-
fic, etc.
– Providing safety is hard
• Security: against malicious activities by people
– Anticipate war, terrorism, fraud, theft, abuse, etc.
– Also the unexpected
– Providing security is harder
– Because the harm is intentional
1
,Computer security
The protection of computer systems from theft or damage to their hardware,
software of electronic data, as well as from disruption or misdirection of the
services they provide
• Computer security: Security involving (modern) information technol-
ogy (IT)
• It’s about access
– Preventing unauthorized access to:
∗ Accounts
∗ Personal data
∗ Computing resources
∗ Media content
∗ Communication resources
– Ensuring authorized access:
∗ Protection against denial of service
• It’s also about harmful use of IT
– Stealing:
∗ Vehicles, exploiting car key weaknesses
∗ Burglary, using collected info, key weaknesses
∗ Cryptocurrency mining on other people’s bill
– Identity theft: for harassment, stalking, etc.
– Blackmail, using:
∗ Ransomware: keeping data hostage
∗ Threats to take away resources/services
– Misinformation
∗ Website defacement
∗ Fake news to manipulate public opining, ...
• IT makes eavesdropping easier
– Hackers can exploit protocol weaknesses to get cleartext
– Numerous other examples: WIFI’s WPA2, TLS, ...
• Systematic eavesdropping on all: mass surveillance
By organizations that claim to be legitimate
– For profit: Google, Facebook, device vendors, etc.
– For law enforcement: governments
2
, – Using smartphone, TV, smart speakers
• IT leading to very powerful weapons
– Botnets: army of malware-infected computers
∗ For denial of service: terrorism, blackmail
∗ For cryptocurrency mining: theft
∗ For selling CPU power
∗ For password guessing
∗ Etc.
– In cyberterrorism and cyberwarfare
∗ We’re at war ethics
∗ Mass manipulation with propaganda, fake news, etc.
∗ Sabotage of enemy (IT) infrastructure
∗ Destabilization by fake news, election manipulation, etc.
– Computer viuses, worms, trojans, ...
3
, Lecture 2 - Intro
Problems implementing security
• Products are often not designed with security in mind
– Many products are quickly thrown together and shipped
∗ Especially web pages, apps, IoT, ...
∗ Using code that is mostly found and googled together
∗ Very minimal testing
∗ Security only as an after-thought (if any)
– For some the security was good initially ...
∗ The Internet in the 1980’s
∗ Linux OS - developed in the 1970’s
1. Discretionary access control (DAC) that allows the users to
decide on the access of their files
2. SeLinux, Qubes - attempts at OSs built to be secure
• Products evolve very fast
– Their usage expands or changes
∗ Virtualization of servers, the cloud ...
∗ Mobile phones becoming our banking devices
– New challenges for security
• Products have high complexity
– Moore’s Law:
– Software products have high complexity too
∗ Windows 10: estimates 50M lines of code (LOC)
∗ Linux kernel: 10K in 1991, 311K in 1995, 20M in 2015
– Security: understanding possible attack paths, vulnerabilities
∗ Complexity introduces vulnerabilities, well after deployment
· Example: side-channel attacks, speculative execution
∗ Security becomes a break and patch game
– Security assurance: closed vs. open source
∗ ”Public scrutiny (onderzoek) makes open source high-assurance”
∗ In theory yes, but only if small code base
∗ High assurance: smart cards with tiny cpu and 20K LOC
• Business is not focused on security
– Business landscape in IT is very competitive
4
Chantal Banga, s4545176
December 2020
Lecture 1 - Intro
Security
Freedom from, or resilience against, potential harm or unwanted coercive (ged-
wongen) change caused by others.
Beneficiaries of security
• Individual persons
• Social groups
• Objects and institutions
• Ecosystems
Security vs. Safety
• Safety: against (unintentional) accidents or disasters
– Anticipate what can go wrong
– Also the unexpected
– Forces of nature: tsunamis, fire, biohazard, flood, polar bears, etc.
– Bad things happening: nuclear accidents, panic, power outage, traf-
fic, etc.
– Providing safety is hard
• Security: against malicious activities by people
– Anticipate war, terrorism, fraud, theft, abuse, etc.
– Also the unexpected
– Providing security is harder
– Because the harm is intentional
1
,Computer security
The protection of computer systems from theft or damage to their hardware,
software of electronic data, as well as from disruption or misdirection of the
services they provide
• Computer security: Security involving (modern) information technol-
ogy (IT)
• It’s about access
– Preventing unauthorized access to:
∗ Accounts
∗ Personal data
∗ Computing resources
∗ Media content
∗ Communication resources
– Ensuring authorized access:
∗ Protection against denial of service
• It’s also about harmful use of IT
– Stealing:
∗ Vehicles, exploiting car key weaknesses
∗ Burglary, using collected info, key weaknesses
∗ Cryptocurrency mining on other people’s bill
– Identity theft: for harassment, stalking, etc.
– Blackmail, using:
∗ Ransomware: keeping data hostage
∗ Threats to take away resources/services
– Misinformation
∗ Website defacement
∗ Fake news to manipulate public opining, ...
• IT makes eavesdropping easier
– Hackers can exploit protocol weaknesses to get cleartext
– Numerous other examples: WIFI’s WPA2, TLS, ...
• Systematic eavesdropping on all: mass surveillance
By organizations that claim to be legitimate
– For profit: Google, Facebook, device vendors, etc.
– For law enforcement: governments
2
, – Using smartphone, TV, smart speakers
• IT leading to very powerful weapons
– Botnets: army of malware-infected computers
∗ For denial of service: terrorism, blackmail
∗ For cryptocurrency mining: theft
∗ For selling CPU power
∗ For password guessing
∗ Etc.
– In cyberterrorism and cyberwarfare
∗ We’re at war ethics
∗ Mass manipulation with propaganda, fake news, etc.
∗ Sabotage of enemy (IT) infrastructure
∗ Destabilization by fake news, election manipulation, etc.
– Computer viuses, worms, trojans, ...
3
, Lecture 2 - Intro
Problems implementing security
• Products are often not designed with security in mind
– Many products are quickly thrown together and shipped
∗ Especially web pages, apps, IoT, ...
∗ Using code that is mostly found and googled together
∗ Very minimal testing
∗ Security only as an after-thought (if any)
– For some the security was good initially ...
∗ The Internet in the 1980’s
∗ Linux OS - developed in the 1970’s
1. Discretionary access control (DAC) that allows the users to
decide on the access of their files
2. SeLinux, Qubes - attempts at OSs built to be secure
• Products evolve very fast
– Their usage expands or changes
∗ Virtualization of servers, the cloud ...
∗ Mobile phones becoming our banking devices
– New challenges for security
• Products have high complexity
– Moore’s Law:
– Software products have high complexity too
∗ Windows 10: estimates 50M lines of code (LOC)
∗ Linux kernel: 10K in 1991, 311K in 1995, 20M in 2015
– Security: understanding possible attack paths, vulnerabilities
∗ Complexity introduces vulnerabilities, well after deployment
· Example: side-channel attacks, speculative execution
∗ Security becomes a break and patch game
– Security assurance: closed vs. open source
∗ ”Public scrutiny (onderzoek) makes open source high-assurance”
∗ In theory yes, but only if small code base
∗ High assurance: smart cards with tiny cpu and 20K LOC
• Business is not focused on security
– Business landscape in IT is very competitive
4
