Professional Documents
Culture Documents
• Your name
• Year at drexel
• Why interested in Computer Security and
CS 475?
• Something else interesting about you
High Level Information
• 2009 : Buy cert for *\0.domainI0wn.com, results in cert for * due to pascal vs
C string confusion
• 2013 : “Lucky 13” attacks, bypass SSL by breaking cookie authentication (also
BEAST, CRIME, TIME)
• 2015:
But then again, why
bother?
Crypto is hard: Debian
• The following lines were removed from md_rand.c
MD_Update(&m,buf,j);
[ .. ]
MD_Update(&m,buf,j); /* purify complains */
• Heninger et al
• Remote compromise of 0.4% of keys. Due to poor random number
generation. Affects various kinds of embedded devices such as routers and
VPN devices, not full-blown web servers
The foundation is
rather shaky
• Confidentiality
• Integrity
• Authenticity
• Availability
Analyzing the Security
of a System: Part 1
• First thing : Summarize the system clearly and
concisely
• Absolutely critical
• Identify vulnerabilities
• Iterate
Assets
• Need to know what you are protecting!
• Hardware: Laptops, servers, routers, PDAs, phones, ...
• Software: Applications, operating systems, database systems, source code,
object code, ...
• Data and information: Data for running and planning your business, design
documents, data about your customers, data about your identit
• ...
Risk Analysis
• Quantitative Risk Analysis
• Expected Loss = ValueOf(Asset) * Prob(Vulnerability) * Prob(Threat)
• Hard to assign ValueOf (monetary?) and Probabilities
• Qualitative Risk Analysis
• Assets: Critical, very important, important, not important
• Vulnerabilities: Has to be fixed soon, should be fixed, fix if convenient
• Threats:Very likely, likely, unlikely, very unlikely
• Which of the attacks we discussed Thursday were a result of getting this
wrong?
Homework 1
• Due April 9 (no late days for this)
• Security review of WhatsApp