CS 3710

Introduction to Cybersecurity

 

Aaron Bloomfield (aaron@virginia.edu)
@github | |

 

Course Introduction

Motivation

First, a definition…

mal: bad, in the Latin

 

malware: software that is intended to damage or disable computers and computer systems

Costs of Malware

  • Cost of malware (worldwide):
    • 1997: $3.3 billion (source)
    • 2006: $13.3 billion (source)
    • 2014: $491 billion (source)
    • 2015: $3 trillion (source)
    • 2021: estimated to hit $6 trillion (source)
    • 2024: estimated to top $10 trillion (source)
    • 2029: predicted to top $15 trillion (source)
  • Companies often cover up the worst cases
  • Does not include cost of security measures

Malware Costs: Example 1

  • April 1999: CIH (Chernobyl) virus
    • Overwrites first megabyte of the hard drive with zeros, then overwrites the BIOS
    • Only affects Windows 95, 98, and ME
  • $250 million lost in one day in Korea alone; widespread across Asia
    • Estimated $1 billion in damages in total
  • Hard to quantify cost of lost files, time spent reinstalling OS and applications, etc.

Malware Costs: Example 2

  • February 2001 mass mailer: Anna Kournikova virus
    • Visual Basic script via email, based on LoveLetter
    • Enticed people to open it promising a picture of a popular and pretty tennis star
      • Social engineering!
    • Did little damage, though
    • The creator didn’t know how to program!
      • He used a virus kit

Malware Costs: Example 3

  • 2010 / 2011: Stuxnet worm
    • By far the most advanced piece of malware ever created at that point
    • It’s goal (and it succeeded!) was to cripple Iran’s nuclear enrichment
      • Said program was set back by 1-2 years
    • Authors have not come forward, but speculation is a joint Israel / US team

Malware Costs: Example 4

  • Ashley Madison data breach in 2015
    • This is the site that peddled extra-marital affairs
    • The hackers threatened to release the site’s DB info unless the site was closed down
      • No ransom was requested!
    • They did reveal the information, which led to embarrassment and some suicides
    • Interestingly, almost all of the “female” members were bots…

Malware Costs: Example 5

  • 2016 US election hacks
    • “The US intelligence community has concluded with high confidence that the Russian government interfered in the … election”
    • Whether it affected the outcome is up for debate
      • And not one I want to engage in now…
    • But the fact that they were able to interfere is worrisome
  • Interfering in elections is a common tactic; the US has done so a lot as well (source)

Malware Costs: Example 6

  • NotPetya in 2017
    • Infected Ukrainian companies through a back door put into a Ukrainian version of a TurboTax-like software
      • Companies with Ukrainian subsidiaries were infected through their corporate network
    • This was “the equivalent of using a nuclear bomb to achieve a small tactical victory”
    • There is a good Wired article on it

Malware Costs: Example 7

  • The Colonial Pipeline shutdown
    • Ransomware infected the computers of the company that supplies half of the east coast’s oil and gas
    • They paid 75 bitcoin (about $5 million) to the ransomware writers (DarkSide)
    • The costs beyond that – to regular citizens – have not yet been estimated

Malware Costs: Conclusion

  • Computer viruses and other security attacks are very costly
  • Computer security is a hot field today; many career and research opportunities for graduates from this course
  • Knowledge of security issues is sensitive and carries an ethical responsibility with it
  • …but how can you write a detection software for a virus that does not exist yet?

There are also policy motivations

  • US bills SOPA / PIPA from 2011 were intended to hinder piracy, it would allow serious security problems
    • There have been many such attempts since
  • US drone fleet virus (see articles here and here)
    • And people thought viruses were a thing of the past!

A UVa hack (2013)

Another UVa hack (2015)

Yet another UVa hack (2016)

Cybersecurity and gov’t shutdowns

  • The government shutdown from early 2019 lasted 35 days
  • With skeletal staffs, many gov’t agencies could not perform basic cybersecurity procedures
  • Thus, cybersecurity is one of many things hurt by the shutdown
  • source

Course Information

Course Objectives

  • Understand the ethical and policy context for cybersecurity in today’s society
  • Understand how to better safeguard one’s personal computer
  • Understand the basics of advanced topics in cybersecurity including encryption, digital forensics, binary exploits, and networks
  • Understand the modern concepts in cybersecurity attacks and prevention

Course Purpose

  • This course is meant to be a general introduction to cybersecurity
  • It is the pre-req for all the other cybersecurity courses at UVa

Course Sources

  • I am not, in fact, the first to create an Introduction to Cybersecurity course
    • Some of this course’s content is based on UMich EECS 388
      • Intel funded them to create a course under a CC BY-SA license
    • Other parts come from online sources
      • The ethics part from here, for example

Class Information

  • Prerequisites: CS 2100 (DSA1) and CS 2130 (CSO1), each with a grade of C- or higher
    • If you are on the old curriculum, then CS 2150 (PDR) with a grade of C- or higher
  • Grades
    • One midterm (20%) (date on syllabus)
    • Final exam (25%) (date on syllabus)
    • Homeworks (45%)
    • Class participation, pop quizzes (10%)
  • I reserve the right to adjust the percentages based on the number of assignments and quizzes, and other factors

More on that pre-requisite

  • If you are are a transfer student (or a non-UVA student during the summer term), then your pre-req is all of the following:
    • two semesters of programming experience
    • knowledge of programming in C or C++
    • knowledge of programming in assembly

Exams

  • As mentioned, one midterm:
    • Thursday, October 10th, during lecture
  • Final exam
    • It’s on Tuesday, December 17, from 2pm to 5pm
      • Yes, it’s a horrible exam time
    • You can’t take it early, so please don’t ask
    • You can’t take it late, either

Homeworks

  • Late homework is docked 25% per day (or fraction thereof)
    • Thus, more than 72 hours late will receive a zero
  • Homeworks will generally be given out two per week
    • Some “easy” ones will be more often
    • Some “hard” ones will have a bit more time
  • Note that the difficulty level of the homeworks varies considerably

Extensions

  • You can request an extension, up to 5 days, on any and all assignments
    • There is a Google form, linked to from the Canvas landing page, for this reason
  • HOWEVER:
    • This covers any and all other reasons for a delay (health, travel, SDAC, religious, etc.)
      • Unless that reason would have been a more than 5 day extension in the first place
    • If you get busy at the end of your extension, then that’s your tough luck
    • Note that TA office hours are optimized for the actual on-time date
  • Full details in the course syllabus

Us and you

  • All office hours are posted on the Canvas landing page
  • I avoid e-mailing the class; announcements will be discussed each day in lecture and posted to Canvas / Piazza
  • To contact me, please use the course contact tool (linked to from the main Canvas page)
  • We also have Piazza as well for questions

Course Materials

Tentative schedule

  • Introduction (1 week): course introduction and motivation, terminology, security mindset
  • Ethics & Policy (2 weeks): ethics, policy
  • Encryption (2 weeks): encryption, hashes
  • Networks (2 weeks): networks, web security
  • Binary manipulation (2 weeks): viruses, buffer overflows, binary exploits
  • Modern topics (3 weeks): SQL/XSS/CSRF, anonymity, cryptocurrency, stuxnet, rootkits, VMs
  • Digital forensics (1 week): forensics
  • Note that for the summer, one semester week is about 1.25 summer lecture days

Homeworks

  • Each module will generally have two assignments during a regular (fall/spring) semester (and less than that during a summer term)
    • Either a written homework, submitted as a PDF
      • Will consist of writing, math, and short programs
    • Or a programming assignment; source code will be submitted
  • Please read the homework policies page, as you are going to be bound by it!

Completing the homeworks

  • Most you will run it on your own computer
  • We will provide a separate online environment for some assignments
  • Some homeworks will require a specific platform or language, others it will be a recommendation, and others can be done on any platform
  • You can use any development environment (including IDE) that you would like

Readings

  • There is no assigned textbook
    • They get outdated too quickly!
  • However, there will be readings assigned
  • These readings may have pop quizzes to test that you actually read it
    • If you miss class, then you get a zero for the quiz!
    • They will be via provided PDFs and/or online materials
  • Some of the “readings” may be podcasts to listen to

What you must purchase

  • Nothing
    • (there is no textbook for this course, only online materials)
  • But, as it’s a computer science course, you need to have a (working and recent) computer
    • If you don’t, or if yours breaks, let me know, and the department can loan you one

Politics

  • Some of the discussion in this class will be regarding politics
    • Especially the policy discussion late next week
  • Although I have strong political opinions, I have always maintained strict political neutrality when teaching my classes
    • If you ever feel this is not the case, please let me know!
  • That being said, if something is stupid, I’m going to say so (generally something technology related)
    • I don’t consider that politics – just common sense

Sensitive topics

  • Cybersecurity is closely tied to spam (a common vector), which is closely tied to pornography (a common means to get clicks)
  • We will be discussing these as well – and yes, in a professional manner

Honor policy

  • All assignments are individual assignments
  • You can talk at a high level about the assignment
  • You cannot look at anybody else’s code prior to either of your submissions
  • Once you both have submitted it for the FINAL time, you may discuss code
  • Any honor violation or cheating will be referred to the honor committee, and will result in immediate failure for the course

Generative AI

  • You may use generative AI, such as ChatGPT, to help you study and understand concepts
  • All the code you submit must be your own, and cannot come from a generative AI
    • It turns out that generative AI is not all that useful for most of our assignments
  • At least one assignment will require you to use generative AI (ethics)
    • For all others: you have to write the essay or code all by yourself

Ethics

Computer Ethics

  • We must teach how attacks upon computer systems work in order to teach defenses against attacks
  • Information about attacks must NEVER be used to attack any computer system in any way

Ethics Pledge

  • You will have to read and sign the ethics pledge
    • It should not be difficult to follow
  • Ethics will be covered in more detail later
  • You cannot continue in the course without signing the ethics pledge
  • I’ll provide the pledge links to sign electronically in a day or two

Ethics Pledge Points

  • Unauthorized use of computer resources is forbidden
  • Even malware that does nothing but copy itself uses resources
  • Don’t ever rationalize that a system owner won’t object to your actions; ask permission
    • If you are afraid to ask permission, it must be forbidden!

Example: 1988 Morris Worm

  • Creator rationalized that the worm did no damage
    • It only copied itself from system to system over the Internet
  • BUT: Copying monopolized system resources until they had to be shut down
  • Worm reached 10% of entire Internet
  • Creator did not realize it would be that resource-intensive
  • Creator was convicted of felonies!
    • And is now a professor at MIT. Go figure!

Morris Worm Lessons

  • Consequences of a virus or worm cannot always be foreseen
  • Severe damage can be done without destroying data
  • Excessive resource usage is destructive enough to be criminal

Criminal Prosecution

  • Attackers have been prosecuted for:
    • Stealing passwords, even if never used
    • Copying copyrighted materials
    • Accessing confidential data, even if it was never used for harmful purposes
    • Entering a system without permission, causing sys admins to spend time tracking them and securing the system, even without otherwise causing harm
  • Moral: Don’t assume it is legally safe to do any of the above

Ethics Violations

  • Violations by students endanger our ability to offer this course
  • As a result, they will be treated severely
    • UJC (University Judiciary Committee)
    • Course grades
    • Criminal prosecution

ACM Code of Ethics

  • ACM is the primary professional organization for computer scientists
    • IEEE is the other
  • The entire code is available at http://www.acm.org/about/code-of-ethics

Ethics Questions

  • Scenario: John Doe attempts to guess the password of a user of a system on which John Doe has no account. After a few guesses, he succeeds, but finds nothing of interest on the system and logs off.
  • Q1: Has he committed a crime?
  • Q2: Are his actions analogous to any common crime not involving computers?