Cyber Security in the Three Times: Past, Present & Future

Total Page:16

File Type:pdf, Size:1020Kb

Cyber Security in the Three Times: Past, Present & Future Carnegie Mellon CyLab 4720 FORBES AVENUE CIC BUILDING PITTSBURGH, PA 15213 PH: 412.268.1870 FX: 412.268.7675 www.cylab.cmu.edu Cyber Security in the Three Times: Past, Present & Future CERT 20th Anniversary Seminar Series Pittsburgh, Pennsylvania, 7/22/08 Cyber Security in the Three Times Agenda • Speaker’s Bio • CyLab’s Mission • Global Economy & Cyberspace • Glimpses Into the 21st Century Threat Matrix • Cyber Risks Timeline • Elements of A Holistic Program • Ruminations & Conclusions Richard Power, Carnegie Mellon CyLab 2008 2 Harnessing the Future to Secure the Present Richard Power • CyLab Distinguished Fellow • Director of Global Security Intelligence for Deloitte Touche Tohmatsu (2002-2005) • Editorial Director for Computer Security Institute (1994-2002) • Author of Five Books, Including – Secrets Stolen/Fortunes Lost: Preventing Intellectual Property Theft & Economic Espionage in the 21st Century, (w/ Christopher Burgess) – Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace • Author of War & Peace in Cyberspace, monthly column for Computer Fraud and Security Journal (w/ Dario Forte) Richard Power, Carnegie Mellon CyLab 2008 3 CyLab’s Mission CyLab is … • A bold and visionary effort, which establishes public-private partnerships to develop new technologies for measurable, available, secure, trustworthy, and sustainable computing and communications systems as well as to educate individuals at all levels. • A dynamic matrix, in which great works are accomplished, great minds come together, and great careers are launched. • A vital resource for government and business to draw on in addressing cyber risks that threaten national and economic security. • A world leader in both technological research and the education of information assurance professionals, CyLab harnesses the future to secure the present. Richard Power, Carnegie Mellon CyLab 2008 4 Harnessing the Future to Secure the Present One of the world’s premier centers for Unique comprehensive approach cyber security, dependability and privacy • Multi-disciplinary, university-wide • Largest U.S. university-based cyber – Faculty and researchers from six security research & education program colleges of Carnegie Mellon • Computer Emergency Response Team – 50+ faculty/researchers and (CERT) 130+ graduate students • National Science Foundation (NSF) • Funded by private and public funds CyberTrust Center – Budget of approximately $12M in • Key partner in NSF-funded Center fiscal year 2007 for Team Research in Ubiquitous Secure – Supported by 50 member private Technology companies and government research • National Security Administration (NSA) funds Center of Academic Excellence in • Global educational partnerships & initiatives: Information Assurance Education e.g., Taiwan, India, Portugal, Singapore, Greece, Japan, etc. Richard Power, Carnegie Mellon CyLab 2008 5 6 Benefits of CyLab Partners Program The Four R’s of CyLab Partner Program Benefits -- • Research – Leverage CyLab researchers and facilities for your R&D • Recruitment – Get inside track on hiring CyLab graduates to build your technology team • Reputation – Embellish your image by association with leading research center • Return on Investment – Cost-savings & boost in reputation translate into immediate ROI Richard Power, Carnegie Mellon CyLab 2008 7 The Web of Life “All things are connected like the blood that unites us all. Man did not weave the Web of Life, he is merely a strand in it. Whatever he does to the Web he does to himself.” Chief Seattle,1854 Richard Power, Carnegie Mellon CyLab 2008 8 Growth of the Global Economy Everyone & Everything Everywhere is Connected … 2001: 34 nations sign “Free Trade Americas” pact for massive free-trade zone of 800 million people from Alaska to Argentina. 1999: Euro, a common currency for 11 European nations. “Biggest economic event we’ll see in our lifetime.” 1998: Asian economic crisis impacts the world. 1995: General Agreement on Tariffs and Trade (GATT) signed. 1994: North American Free Trade Agreement (NAFTA) signed. 1992: Treaty on European Union (EU) signed. 1989-1991: Collapse of Soviet Union, German reunification. 9 Growth of Cyberspace Everyone & Everything Everywhere is Connected … • Radio -- 35 Years to Reach 50 Million People • TV -- 15 Years to Reach 50 Million People • WWW – 5 Years to Reach 50 Million People Richard Power, Carnegie Mellon CyLab 2008 10 As They Evolve, They Increasingly Interpenetrate 1980s Global Economy Cyberspace 1990s Global Economy Cyberspace 21st Century Global Economy Cyberspace Secrets Stolen/Fortunes Lost, Synergy Press, 2008 11 In 21st Century, They Occupy Same Space & Share Risk 1980s Global Economy Cyberspace -- Competitors -- Hackers -- Espionage 1990s -- Data Theft Global Economy Cyberspace 21st Century Global Economy Cyberspace --- Hackers -- Competitors Secrets Stolen/Fortunes Lost, -- Data Theft -- Espionage Synergy Press, 2008 12 Yoga of the Three Times In the 8th Century, this teaching was written down by Yeshe Tsogyal, Tibetan yogini and consort of the great sage, Padma Sambhava; it was then “hidden away amidst a cache of precious things” to be read by seekers of the future – • The yoga of the past not being practiced, memory of the past remains latent. • The Future, not being welcomed, isis completelycompletely severedsevered byby thethe mindmind fromfrom thethe present.present. • The Present not being fixable remains in the state of voidness (Tibetan Book of the Great Liberation, Ed. & Trans. by W.Y. Evans-Wentz, Oxford University, 1954) Richard Power, Carnegie Mellon CyLab 2008 13 Glimpses into the 21st Century Threat Matrix On the dark side of cyberspace -- a rapidly expanding spectrum of risks & threats, ever-evolving in sophistication … • Every technological advance for mobile workers offers new opportunities for cyber criminals and industrial spies • Rise of organized crime in Eastern Europe was predicted 14 years ago, and yet, it has grown powerful & pervasive • Not just petty crime, recent headlines highlight attacks on national security, financial markets & power grids • Meanwhile, perennial threats, like the disgruntled or dishonest insider, continue unabated Richard Power, Carnegie Mellon CyLab 2008 14 Glimpses into the 21st Century Threat Matrix A random sampling from 30 days of newspaper headlines underscores the scope of the challenge •Bank: Rogue trader hacked • Former New Jersey system administrator computers (CNN, 1-27-08) gets 30 months in prison for ‘logic bomb’ (SC Magazine 1-9-08) •Hackers darken cities, CIA says • Engineer: I stole IDs from hotel computers (Security Focus, 1-21-08) (Miami Herald, 1-9-08) • China has penetrated key U.S. • Mass hack infects tens of thousands of sites databases (SC Magazine, 1-18-08) (Computerworld, 1-7-08) • Wi-fi users, beware: Hot spots are weak • FAA: Boeing's New 787 May Be Vulnerable to Hacker Attack (Wired, 1-4-08) spots (Wall Street Journal, 1-16-08) • eBay goes far to fight fraud – all the way to • New mass hack strikes sites, confounds Romania (L.A. Times, 12-26-07) researchers (Computerworld, 1-14-08) • Pune woman $12mn cyber theft (DNA, 12-28-07) •Former Cox employee who shut downRichard Power,911 Carneggetsie jail Mellon time CyLab (SC 2008 Magazine, 1-11-08) 15 Glimpses into the 21st Century Threat Matrix Another random sampling from recent newspaper headlines underscores the scope of the challenge •Crimeware server exposes breadth • Rare SCADA vulnerability discovered (SC of data theft (GCN, 5-6-08) Magazine 5-9-08) •Hackers' posts on epilepsy forum • Technology, media firms overconfident, cause migraines, seizures (SMH, 5- unprepared for breaches: Deloitte survey (SC Magazine, 2-7-08) 8-08) • Hackers Focus on VoIP Accounts (WebPro •Hacktivists collect fingerprint of News, 5-12-08) fingerprint collector (Register, 3-30- • Hackers May Have Stolen Millions of Cards 08) (Newsday 5-15-08) •Hackers Hijack a Half-million Sites • Hackers catch ride on Grand Theft Auto IV In Latest Attack (Computerworld, 5-13- downloaders (Computer Weekly, 5-15-08) 08) • Russia’s state hackers target Radio Free Richard Power, Carnegie Mellon CyLab 2008 Europe in Prague (Sunday Herald, 5-10-08) •FBI Worried as DoD Sold 16 C t f it N t ki G (CSO Glimpses into the 21st Century Threat Matrix A random sampling from 30 days of newspaper headlines underscores the scope of the challenge •Spam Blockers Losing Ground on • Former Employee Allegedly Deleted Organ Sophisticated Attackers (6-08) Bank Data (6-26-8) • More Than 630,000 Laptops Lost at Airports •Software Engineer First to be Each Year (6-30-08) Sentenced Under Economic • S.F. officials locked out of computer network Espionage Act (6-18-08) (7-15-08) •Citibank Server Breach Likely • New trojan in the wild targeting multimedia Source of Compromised ATM Cards files (SC Magazine, 7-14-08) (6-18-08) • Hackers break 3G iPhone lock (7-13-08) •Stolen Computer Holds Outsourced • Hackers Steal Millions From 7-Eleven ATM Human Resources Data (6-23-08) (AP, 7-3-08) Richard Power, Carnegie Mellon CyLab 2008 •Marshall Islands hit by 'zombie' 17 attack (6 25 08) Glimpses into the 21st Century Threat Matrix Trends for 2008-2009 (it’s only going to get worse) -- • Increased professionalism and commercialization of malicious activities • Threats tailored for specific regions, Increasing numbers of multi-staged attacks • Attackers targeting victims by first exploiting trusted entities • Convergence of attack methods • Automated evasion process • Advanced Web threats – laundering origins through the Web • Diversification
Recommended publications
  • Coordinating Across Chaos: the Practice of Transnational Internet Security Collaboration
    COORDINATING ACROSS CHAOS: THE PRACTICE OF TRANSNATIONAL INTERNET SECURITY COLLABORATION A Dissertation Presented to The Academic Faculty by Tarun Chaudhary In Partial Fulfillment of the Requirements for the Degree International Affairs, Science, and Technology in the Sam Nunn School of International Affairs Georgia Institute of Technology May 2019 COPYRIGHT © 2019 BY TARUN CHAUDHARY COORDINATING ACROSS CHAOS: THE PRACTICE OF TRANSNATIONAL INTERNET SECURITY COLLABORATION Approved by: Dr. Adam N. Stulberg Dr. Peter K. Brecke School of International Affairs School of International Affairs Georgia Institute of Technology Georgia Institute of Technology Dr. Michael D. Salomone Dr. Milton L. Mueller School of International Affairs School of Public Policy Georgia Institute of Technology Georgia Institute of Technology Dr. Jennifer Jordan School of International Affairs Georgia Institute of Technology Date Approved: March 11, 2019 ACKNOWLEDGEMENTS I was once told that writing a dissertation is lonely experience. This is only partially true. The experience of researching and writing this work has been supported and encouraged by a small army of individuals I am forever grateful toward. My wife Jamie, who has been a truly patient soul and encouraging beyond measure while also being my intellectual sounding board always helping guide me to deeper insight. I have benefited from an abundance of truly wonderful teachers over the course of my academic life. Dr. Michael Salomone who steered me toward the world of international security studies since I was an undergraduate, I am thankful for his wisdom and the tremendous amount of support he has given me over the past two decades. The rest of my committee has been equally as encouraging and provided me with countless insights as this work has been gestating and evolving.
    [Show full text]
  • Design Principles and Patterns for Computer Systems That Are
    Bibliography [AB04] Tom Anderson and David Brady. Principle of least astonishment. Ore- gon Pattern Repository, November 15 2004. http://c2.com/cgi/wiki? PrincipleOfLeastAstonishment. [Acc05] Access Data. Forensic toolkit—overview, 2005. http://www.accessdata. com/Product04_Overview.htm?ProductNum=04. [Adv87] Display ad 57, February 8 1987. [Age05] US Environmental Protection Agency. Wastes: The hazardous waste mani- fest system, 2005. http://www.epa.gov/epaoswer/hazwaste/gener/ manifest/. [AHR05a] Ben Adida, Susan Hohenberger, and Ronald L. Rivest. Fighting Phishing Attacks: A Lightweight Trust Architecture for Detecting Spoofed Emails (to appear), 2005. Available at http://theory.lcs.mit.edu/⇠rivest/ publications.html. [AHR05b] Ben Adida, Susan Hohenberger, and Ronald L. Rivest. Separable Identity- Based Ring Signatures: Theoretical Foundations For Fighting Phishing Attacks (to appear), 2005. Available at http://theory.lcs.mit.edu/⇠rivest/ publications.html. [AIS77] Christopher Alexander, Sara Ishikawa, and Murray Silverstein. A Pattern Lan- guage: towns, buildings, construction. Oxford University Press, 1977. (with Max Jacobson, Ingrid Fiksdahl-King and Shlomo Angel). [AKM+93] H. Alvestrand, S. Kille, R. Miles, M. Rose, and S. Thompson. RFC 1495: Map- ping between X.400 and RFC-822 message bodies, August 1993. Obsoleted by RFC2156 [Kil98]. Obsoletes RFC987, RFC1026, RFC1138, RFC1148, RFC1327 [Kil86, Kil87, Kil89, Kil90, HK92]. Status: PROPOSED STANDARD. [Ale79] Christopher Alexander. The Timeless Way of Building. Oxford University Press, 1979. 429 430 BIBLIOGRAPHY [Ale96] Christopher Alexander. Patterns in architecture [videorecording], October 8 1996. Recorded at OOPSLA 1996, San Jose, California. [Alt00] Steven Alter. Same words, different meanings: are basic IS/IT concepts our self-imposed Tower of Babel? Commun. AIS, 3(3es):2, 2000.
    [Show full text]
  • Purdue's Computer Science Department
    A Tribute to Those No Longer With Us Frank Friedman Ruth Hart Robin Lea Pyle Saul Rosen “Maryland’s Gain is the Country’s Loss” Winnie Rosen – on the occasion of the selection/election of Spiro T Agnew as the Vice President of the United States Saul Rosen 1922–1991 Early Career – The Formative Years Born in Port Chester, NY on February 8, 1922. Graduated from the City College of New York in 1941 with a BS in mathematics Attended the University of Pennsylvania PhD in mathematics in 1950 Instructor of mathematics at Delaware (1946-47) Lecturer at UCLA (1948-49) Assistant professor at Drexel (1949-51) Assistant professor at the Penn (1952-54) Associate professor in the Computational Laboratory at Wayne State (1954-56). In the Private Sector Associate research engineer with Burroughs Corporation (1951-52) Manager, Burroughs Electrodata Division's Eastern Applied Mathematics Section (1956-58) Manager of Computer Programming and Services (1958-60) Computer and programming systems consultant (1960-62) at Philco Corporation Chief software designer for world's first transistorized computer, Philco TRANSAC S-2000 Saul Rosen – Back to Academics In 1962, Rosen joined Samuel Conte as one of the charter faculty members in Purdue's Computer Science Department Professor mathematics and CS (1962-66 and 1967-91) Professor of engineering and Associate Director of Computing at the State University of New York at Stony Brook (1966-67) From 1968-1987, Director of Purdue's Computing Center Took Purdue to the forefront of high-performance computing at U. S. universities Purdue acquired large, high-performance computing systems in the mid-1960s and was one of only three universities operating supercomputers during the 1970s and into the mid-1980s In 1947, Rosen became active in the (ACM) Served on the languages committee that eventually led to the ALGOL programming language Then served as first managing editor of the CACM Wrote extensively on practical systems programming.
    [Show full text]
  • Jonathan Zittrain's “The Future of the Internet: and How to Stop
    The Future of the Internet and How to Stop It The Harvard community has made this article openly available. Please share how this access benefits you. Your story matters Citation Jonathan L. Zittrain, The Future of the Internet -- And How to Stop It (Yale University Press & Penguin UK 2008). Published Version http://futureoftheinternet.org/ Citable link http://nrs.harvard.edu/urn-3:HUL.InstRepos:4455262 Terms of Use This article was downloaded from Harvard University’s DASH repository, and is made available under the terms and conditions applicable to Other Posted Material, as set forth at http:// nrs.harvard.edu/urn-3:HUL.InstRepos:dash.current.terms-of- use#LAA YD8852.i-x 1/20/09 1:59 PM Page i The Future of the Internet— And How to Stop It YD8852.i-x 1/20/09 1:59 PM Page ii YD8852.i-x 1/20/09 1:59 PM Page iii The Future of the Internet And How to Stop It Jonathan Zittrain With a New Foreword by Lawrence Lessig and a New Preface by the Author Yale University Press New Haven & London YD8852.i-x 1/20/09 1:59 PM Page iv A Caravan book. For more information, visit www.caravanbooks.org. The cover was designed by Ivo van der Ent, based on his winning entry of an open competition at www.worth1000.com. Copyright © 2008 by Jonathan Zittrain. All rights reserved. Preface to the Paperback Edition copyright © Jonathan Zittrain 2008. Subject to the exception immediately following, this book may not be reproduced, in whole or in part, including illustrations, in any form (beyond that copying permitted by Sections 107 and 108 of the U.S.
    [Show full text]
  • Whatever Happened to Formal Methods for Security?
    Whatever Happened to Formal Methods for Security? (IEEE Computer Magazine, August 2016 publication on Supply Chain Security, regular paper in the Perspectives section) J. Voas and K. Schaffer We asked 7 experts 7 questions to find out what has occurred recently in terms of applying formal methods (FM) to security-centric, cyber problems. We are continually reminded of the 1996 paper by Tony Hoare “How did Software Get So Reliable Without Proof?” [1] In that vein, how did we get so insecure with proof? Given daily press announcements concerning new malware, data breaches, and privacy loss, is FM still relevant or was it ever? Our experts answered with unique personal insights. We were curious as to whether this successful methodology in “safety-critical” has succeeded as well for today’s “build it, hack it, patch it” mindset. Our experts were John McLean (Naval Research Labs), Paul Black (National Institute of Standards and Technology), Karl Levitt (University of California at Davis), Joseph Williams (CloudEconomist.Com), Connie Heitmeyer (Naval Research Labs), Eugene Spafford (Purdue University), and Joseph Kiniry (Galois, Inc.). The questions and responses follow. 1) Most are aware that FM has been highly successful in safety-critical systems over the past decades. Much of that success stems from those systems being deployed in regulated industries. If you agree with this claim, it begs two questions: (1) Is FM as well suited to security concerns, and (2) if assurance is more compliance and self-governance Joseph Williams Formal methods have been successfully applied to safety-critical systems. One reason is the overwhelming evidence that formal methods do result in safer systems.
    [Show full text]
  • Developing a Normative Framework for Cyberwarfare
    Developing a Normative Framework for Cyberwarfare October 17-18, 2016 United States Naval Academy Annapolis, Maryland Table of Contents: Purpose 3 Acknowledgments 3 Schedule 4 Presentation Abstracts 6 Presenter Biosketches 11 Grant Team Biosketches 15 Registration 17 Venue 17 Banquet 17 Hotel 17 Travel 17 Maps 18 Contacts 21 Notes 22 2 Purpose: Welcome to our workshop on the social, ethical, and legal implications on cyberwarfare. As this is quickly-evolving terrain, we hope to reflect the current state of play, as well as to sketch the short- and mid-term future. In these endeavors, we will be aided by a diverse and distinguished group of invited presenters. These presenters have been carefully selected from academia, industry, and government, and bring with them a wealth of expertise and experience. Unlike many academic workshops, this one is meant to be discussion intensive. Toward that end, presenters have been asked to keep their briefings to approximately fifteen minutes, leaving the rest of the sessions for interaction. To foster these interactions, we will operate under The Chatham House Rule: participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed without their expressed consent. Acknowledgments: The conference is organized by Dr. Fritz Allhoff (Western Michigan University/Stanford Law School), Dr. Patrick Lin (California Polytechnic State University), and Dr. Ryan Jenkins (California Polytechnic State University). It is supported by funding from the U.S. National Science Foundation (NSF), under awards #1318126, #1317798, #1318270. In addition to the NSF, we are grateful for institutional support from the following: California Polytechnic State University, Case Western Reserve University’s Inamori International Center for Ethics and Excellence, Naval Postgraduate School, United States Naval Academy’s Stockdale Center for Ethical Leadership, and Western Michigan University.
    [Show full text]
  • An Interview With
    An Interview with REBECCA G. BACE OH 410 Conducted by Jeffrey R. Yost on 31 July 2012 Computer Security History Project University of Maryland, Baltimore Charles Babbage Institute Center for the History of Information Technology University of Minnesota, Minneapolis Copyright, Charles Babbage Institute Rebecca G. Bace Interview 31 July 2012 Oral History 410 Abstract Rebecca Bace, who has a Master of Engineering Science degree from Loyola College, is a leading figure in the computer security field of intrusion detection. She is the author the influential textbook on this topic, Intrusion Detection, and was leader of the pioneering Computer Misuse and Anomaly Detection (CMAD) Research Program at the National Security Agency from 1989 to 1995. In this capacity, she sponsored much of the first wave of path breaking academic research on intrusion detection. This interview briefly addresses Ms. Bace’s education and early professional life before focusing on her dozen years at the NSA, and specifically her leadership of CMAD. In detailing the portfolio of early CMAD sponsored projects that Bace supported, it provides an important lens into the early evolution of intrusion detection as a research field and area of practice, and identifies many of this field’s pioneering contributors. The interview also briefly touches on Bace’s work after leaving the NSA, including at Los Alamos National Laboratory and as President of the consulting firm Infidel, Inc. This material is based upon work supported by the National Science Foundation under Grant No. 1116862, “Building an Infrastructure for Computer Security History.” 2 Yost: My name is Jeffrey Yost from the Charles Babbage Institute of the University of Minnesota, and I’m here today with Rebecca Bace at the University of Maryland Baltimore County Campus at the Tech Incubator.
    [Show full text]
  • CEG 429/629: Internet Security
    Wright State University CORE Scholar Computer Science & Engineering Syllabi College of Engineering & Computer Science Fall 2004 CEG 429/629: Internet Security Prabhaker Mateti Wright State University - Main Campus, [email protected] Follow this and additional works at: https://corescholar.libraries.wright.edu/cecs_syllabi Part of the Computer Engineering Commons, and the Computer Sciences Commons Repository Citation Mateti, P. (2004). CEG 429/629: Internet Security. https://corescholar.libraries.wright.edu/cecs_syllabi/5 This Syllabus is brought to you for free and open access by the College of Engineering & Computer Science at CORE Scholar. It has been accepted for inclusion in Computer Science & Engineering Syllabi by an authorized administrator of CORE Scholar. For more information, please contact [email protected]. -~·-- ·~·-··--~·~··--· Internet Securty Course Syllabus by Mateti Page 1 of4 f-cY-1 t CEG 429/629: Internet Security vVRIGHT STATE UN'JV ERSJTY Instructor: Dr Prabhaker Mateti ~e of Engineering & CS }Yrighl State University Dayton, Ohio 45435-0001 Catalog Description: CEG 429 Internet Security Introduction to security issues arising primarily from computer networks. Topics include node and service authentication, address spoofing, hijacking, SYN floods, smurfing, sniffing, routing tricks, and privacy of data en route. Buffer overruns and other exploitation of software development errors. Hardening ofoperating systems. Intrusion detection. Firewalls. Ethics. Prerequisites: CEG 402 Source J\<faterial Home Page Please visit the home page for announcements, and info on notes. There is no required text book this term. Simson Garfinkel, Gene Spafford Practical Unix and Internet Security, 3rd edition (2003), O'Reilly & Associates; ISBN: 0596003234. A recommended text book. Errata Previous Editions: http://":Jyww.oreilly.com/catalogLpuis/errat~ William Stallings Network Security Essentials: Applications and Standards, 1st edition (April 15, 2000), Prentice Hall; ISBN: 0130160938.
    [Show full text]
  • Are Computer Hacker Break-Ins Ethical?£
    Are Computer Hacker Break-ins Ethical?£ Eugene H. Spafford Department of Computer Sciences Purdue University West Lafayette, IN 47907–1398 [email protected] Abstract Recent incidents of unauthorized computer intrusion have brought about discussion of the ethics of breaking into computers. Some individuals have argued that as long as no significant damage results, break-ins may serve a useful purpose. Others counter with the expression that the break-ins are almost always harmful and wrong. This article lists and refutes many of the reasons given to justify computer intrusions. It is the author’s contention that break-ins are ethical only in extreme situations, such as a life- critical emergency. The article also discusses why no break-in is “harmless.” 1 Introduction On November 2, 1988, a program was run on the Internet that replicated itself on thousands of machines, often loading them to the point where they were unable to process normal requests. [1, 2, 3] This Internet Worm program was stopped in a matter of hours, but the controversy engendered by its release raged for years. Other recent incidents, such as the “wily hackers”1 tracked by Cliff Stoll [4], the “Legion of Doom” members who are alleged to have stolen telephone company 911 software [5], and the growth of the computer virus problem [6, 7, 8, 9] have added to the discussion. What constitutes improper access to computers? Are some break-ins ethical? Is there such a thing as a “moral hacker”?[10] It is important that we discuss these issues. The continuing evolution of our technological base and our increasing reliance on computers for critical tasks suggests that future incidents may well £ Copyright ­c 1991, 1997 by Eugene H.
    [Show full text]
  • 2003-2004 Faculty Information
    Department of Computer Science 2003-04 Annual Report Message For Purdue Computer Science, 2003-04 was a year of special milestones! from the On October 1, 2003, the department celebrated the end of its successful Capital Campaign for a new facility. Almost exactly a year later, on Monday, October 4, 2004, we broke ground. A few weeks later, on October 16, the building was named for our lead donors Richard and Patricia (Pat) Lawson in a special Homecoming Celebration. We invite you to monitor the building progress by viewing our live webcam at http://buildingcam.cs.purdue.edu/popup.html. The Head building is to be completed in time for the fall 2006 semester. Collaboration with internal and external partners has always been a hallmark of our department. In this spirit, the Computer Science Department plays an active role in the School of Science COALESCE initiative (see http://www.science.purdue.edu/COALESCE for more information). COALESCE is part of a Purdue-wide initiative to target compelling national research priorities that require insights and contributions from multiple disciplines.Solving societal problems through multi-disciplinary research is quickly becoming an integral component of progressive science programs, and we are proud to be one of the pioneers in changing the shape of science. Multi-disciplinary research and hiring was the focus of the first Departmental Advisory Board meeting held in March 2004. The mission of this newly created board includes actively advising the department in achieving the departmen- tal vision as defined in the strategic plan. Last year’s board members were: Jeanne Ferrante (UC San Diego), Gene Golub (Stanford), Clinton Kelly (SAIC), Kevin Kahn (Intel), and Robert Tarjan (Princeton and HP).
    [Show full text]
  • Tripwire® Intrusion Detection System 1.3 for LINUX® User Manual July 27Th, 1998 COPYRIGHT NOTICE
    Tripwire® Intrusion Detection System 1.3 for LINUX® User Manual July 27th, 1998 COPYRIGHT NOTICE All files in this distribution of Tripwire® are Copyright 1992-1998 by the Purdue Research Foundation of Purdue University and are distributed by Tripwire® Security Systems, Inc. under exclusive license arrangements. All rights reserved. Some individual files in this distribution may be covered by other copyrights, as noted in their embedded comments. This release is for single CPU, single-site, end-use purposes. Duplication is only allowed for the purposed of backup. Any other use of this software requires the prior written consent of Tripwire Security Systems, Inc. If this software is to be used on a Web site, the "Tripwire Protected" logo can be used on the site home page along with appropriate copyright and trademark information. Neither the name of the University nor the names of the authors may be used to endorse or promote products derived from this material without specific prior written permission. THIS SOFTWARE IS PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR ANY PARTICULAR PURPOSE. Tripwire® Security Systems, Inc. 615 SW Broadway, Second Floor Portland, OR 97205, USA tel: 503.223.0280 fax: 503.223.0182 (www.tripwiresecurity.com) 2 Quick Start QUICK START If you have used an earlier version of Tripwire, or if you are a new user, we suggest that you follow the steps below to properly configure, install, and use Tripwire: 1) Read the “INSTALLING TRIPWIRE IDS 1.3 for Linux” section.
    [Show full text]
  • Rethinking Password Policies
    Rethinking Password Policies Abe Singer, Warren Anderson, Rik Farrow August 2013 “In the practice of security we have accumulated a number of “rules of thumb” that many people accept without careful consideration. Some of these get included in policies, and thus may get propagated to environments they were not meant to address. It is also the case that as technology changes, the underlying (and unstated) assumptions underlying these bits of conventional wisdom also change. The result is a stale policy that may no longer be effec- tive…or possibly even dangerous.” — Gene Spafford [23] We are all familiar with having “rules” for passwords: must have at characters from various character sets, have a minimum length, get changed regularly, not be written down, etc. These rules are supposed to make passwords “secure,” but there’s little to no research to support that argument. In fact, they can even weaken security. Most of the “best practices” in use today are based largely on folklore, or in some cases on severely outdated theories of password strength. Even the US Government “standards” on password strength appear to be based on noth- ing more than then-current default settings on a particular operating system. These password best practices have several usability problems. Some believe that security and usability are mutually exclusive, and therefore security has to make things difficult. We argue that security depends on usability. Passwords have to be strong enough to defeat cracking attempts, yet usable. This requires both an understanding of usability, and quantitative measurements of password strength. Below we provide a summary of the relatively scant research and government standards that have led to where we are today, an overview of usability as it applies to security, an analysis as to how current best practices aren’t effective, and finish with a modest proposal for more usable and secure passwords.
    [Show full text]