# Contents [Motivation](#/why) [Course Information](#/how) [Ethics](#/ethics)
## First, a definition... > mal: bad, in the Latin
> malware: software that is intended to damage or disable computers and computer systems ## Costs of Malware - Cost of malware (worldwide): - 1997: $3.3 billion ([source](http://www.computereconomics.com/article.cfm?id=1225)) - 2006: $13.3 billion ([source](http://www.computereconomics.com/article.cfm?id=1225)) - 2014: $491 billion ([source](https://www.scmagazine.com/breaches-malware-to-cost-491-billion-in-2014-study-says/article/539302/)) - 2015: $3 trillion ([source](https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/)) - 2021: estimated to hit $6 trillion ([source](https://www.varonis.com/blog/cybersecurity-statistics/)) - Companies often cover up the worst cases - Does not include cost of security measures ## Malware Costs: Example 1 - April 1999: [CIH (Chernobyl) virus](http://en.wikipedia.org/wiki/CIH_virus) - Overwrites first megabyte of the hard drive with zeros, then overwrites the BIOS - Only affects Windows 95, 98, and ME - $250 million lost in one day in Korea alone; widespread across Asia - Estimated $1 billion in damages in total - Hard to quantify cost of lost files, time spent reinstalling OS and applications, etc. ## Malware Costs: Example 2 - February 2001 mass mailer: [Anna Kournikova computer virus/worm](https://en.wikipedia.org/wiki/Anna_Kournikova_(computer_virus%29) - Visual Basic script via email, based on [LoveLetter](http://en.wikipedia.org/wiki/Loveletter) - Enticed people to open it promising a picture of a popular and pretty tennis star - Social engineering! - Did little damage, though - The creator didn't know how to program! - He used a virus kit ## Malware Costs: Example 3 - 2010 / 2011: [Stuxnet worm](http://en.wikipedia.org/wiki/Stuxnet) - By far the most advanced piece of malware ever created at that point - It's goal (and it succeeded!) was to cripple Iran's nuclear enrichment - Said program was set back by 1-2 years - Authors have not come forward, but speculation is a joint Israel / US team ## Malware Costs: Example 4 - [Ashley Madison data breach](https://en.wikipedia.org/wiki/Ashley_Madison_data_breach) in 2015 - This is the site that peddled extra-marital affairs - The hackers threatened to release the site's DB info unless the site was closed down - No ransom was requested! - They did reveal the information, which led to embarrassment and some suicides - Interestingly, almost all of the "female" members were bots... ## Malware Costs: Example 5 - [2016 US election hacks](https://en.wikipedia.org/wiki/Russian_interference_in_the_2016_United_States_elections) - "The US intelligence community has concluded with high confidence that the Russian government interfered in the ... election" - Whether it affected the outcome is up for debate - And not one I want to engage in now... - But the fact that they were able to interfere is worrisome - Interfering in elections is a common tactic; the US has done so a lot as well ([source](https://www.washingtonpost.com/news/worldviews/wp/2016/10/13/the-long-history-of-the-u-s-interfering-with-elections-elsewhere/)) ## Malware Costs: Example 6 - [NotPetya](https://en.wikipedia.org/wiki/Petya_(malware%29) in 2017 - Infected Ukrainian companies through a back door put into a Ukrainian version of a TurboTax-like software - Companies with Ukrainian subsidiaries were infected through their corporate network - This was "the equivalent of using a nuclear bomb to achieve a small tactical victory" - There is a good [Wired article](https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/) on it ## Malware Costs: Conclusion - Computer viruses and other security attacks are very costly - Computer security is a hot field today; many career and research opportunities for graduates from this course - Knowledge of security issues is sensitive and carries an ethical responsibility with it - ...but how can you write a detection software for a virus that does not exist yet? ## There are also policy motivations - US bills [SOPA](https://en.wikipedia.org/wiki/Stop_Online_Piracy_Act) / [PIPA](https://en.wikipedia.org/wiki/PROTECT_IP_Act) from 2011 were intended to hinder piracy, it would allow serious security problems - There have been many such attempts since - US drone fleet virus (see articles [here](http://www.tgdaily.com/security-features/58927-virus-infects-us-military-drones) and [here](https://www.wired.com/2011/10/virus-hits-drone-fleet/)) - And people thought viruses were a thing of the past!
A UVa hack (2013)
Another UVa hack (2015)
Yet another UVa hack (2016)
## Cybersecurity and the last shutdown - The [government shutdown](https://en.wikipedia.org/wiki/United_States_federal_government_shutdown_of_2018%E2%80%932019) from early 2019 lasted 35 days - With skeletal staffs, many gov't agencies could not perform basic cybersecurity procedures - Thus, cybersecurity is one of many things hurt by the shutdown - [source](https://www.rollcall.com/news/cybersecurity-efforts-may-suffer-shutdown-persists)
# Course Information
## Course Objectives - Understand the ethical and policy context for cybersecurity in today's society - Understand how to better safeguard one's personal computer - Understand the basics of advanced topics in cybersecurity including encryption, digital forensics, binary exploits, and networks - Understand the modern concepts in cybersecurity attacks and prevention ## Course Purpose - This course is meant to be a general introduction to cybersecurity - It will eventually be a pre-req for all the other cybersecurity courses at UVa - But not yet, since this is only the second semester the class is being taught ## Content duplication - In the past, students have taken many different courses as their first cybersecurity course - This led to a duplication of topics, including: encryption, networking basics, etc. - That content is being moved into this course - Since it is now a pre-req for all all the security courses ## Content duplication - Thus, if you have taken any of those classes: - CS 4730: Defense Against the Dark Arts - CS 4760: Network security - CS 4501: Topics in Cryptography - You *may* will see repeated content - It depends on how much of the "basics" were covered in that course ## Repeated content specifics Repeated content: - From CS 4730 (Defense Against the Dark Arts): terminology, encryption, SQL & XSS, networking basics, Stuxnet - From CS 4760 (Network security): networking basics, encryption, securing networks - From CS 4501 (Topics in Cryptography): encryption ## Course Sources - I am not, in fact, the first to create an Introduction to Cybersecurity course - Some of this course's content is based on [UMich EECS 388](https://www.eecs.umich.edu/courses/eecs388.f13//index.html) - Intel funded them to create a course under a [CC BY-SA](http://creativecommons.org/licenses/by-sa/4.0/) license - Other parts come from online sources - The ethics part from [here](https://www.scu.edu/ethics/focus-areas/technology-ethics/resources/an-introduction-to-cybersecurity-ethics/), for example ## Class Information - Prerequisites: CS 2150 with a grade of C- or higher - Grades - One midterm (20%) on Friday, May 29th - Final exam (25%): **EITHER** Friday, June 12th during lecture **OR** Saturday, June 13th at time TBA - Homeworks (45%) - Class participation, pop quizzes (10%) - I reserve the right to adjust the percentages based on the number of assignments and quizzes, and other factors ## More on that pre-requisite - If you are not a UVa student, then your pre-req is all of the following: - three semesters of programming experience - knowledge of programming in C or C++ - knowledge of programming in assembly ## Homeworks - Late homework is docked 25% per day (or fraction thereof) - Thus, more than 72 hours late will receive a zero - Homeworks will generally be given out two per week - Some "easy" ones will be more often - Some "hard" ones will have a bit more time - Note that the difficulty level of the homeworks varies considerably ## Us and you - My office hours are each day from 10:00-10:30 - As HWs are due, there will be more office hours - I can also meet by appointment; submit a [support request](https://libra.cs.virginia.edu/~pedagogy/support.php) for that - The TAs will also have office hours, times TBA - I avoid e-mailing the class; announcements will be discussed each day in lecture - To contact me, please use the support tickets tool via the "Course Tools" tool in Collab - https://libra.cs.virginia.edu/~pedagogy/ - We also have Piazza as well ## Course Materials - They are kept in a github repo: https://github.com/aaronbloomfield/ics - Released under a [Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/) (CC BY-SA) license - That repo is viewable online at http://aaronbloomfield.github.io/ics/ ## Collab - We'll use for: - Quick login to the submission system - Piazza link - Large file downloads - Lecture recordings - Online meetings link - Recall that most of the course materials are in the [github repo](https://github.com/aaronbloomfield/ics) ## Online in the summer of 2020 - The online format is new to me, so please provide feedback ([anonymously](https://collab.its.virginia.edu/portal/site/02dd0151-e77a-4f8a-adc8-65fcd9ba3ecf/tool/f5f0f583-519f-4d4a-b6e5-57d435bf17ff/main) or [not](https://libra.cs.virginia.edu/~pedagogy/support.php)) as to what works and what does not work - Office hours will be via a Zoom meeting - They will not be recorded, but others may be on the zoom call at the same time - For the TA office hours, if nobody signs on in the first 10 minutes, the office hours will end early - Likewise, if all the questions are answered and nobody is left, they will end early ## Tentative schedule - (for the summer, a class is 2 lectures of content) - Introduction (3.5 lectures): course introduction and motivation, terminology, security mindset - Ethics & Policy (5 lectures): ethics, policy - Encryption (5.5 lectures): encryption, hashes - Networks (6 lectures): networks, web security - Binary manipulation (6 lectures): viruses, buffer overflows, binary exploits - Modern topics (9 lectures): SQL/XSS/CSRF, anonymity, cryptocurrency, stuxnet, rootkits, VMs - Digital forensics (3 lectures): forensics ## Homeworks - Each module will generally have two assignments - A written homework, submitted as a PDF - Will consist of writing, math, and short programs - A programming assignment; source code will be submitted - Please read the [homework policies](../uva/hw-policies.html) page, as you are going to be bound by it! ## Completing the homeworks - You can use a VirtualBox image we will provide - Similar to the one used in CS 2150, but updated and with a bit more software installed - You can run it on your own computer - Some homeworks will *require* that image, others it will be a recommendation, and others can be done on any platform - You can use any development environment (including IDE) that you would like ## Readings - There is no assigned textbook - They get outdated too quickly! - However, there will be readings assigned - These readings may have pop quizzes to test that you actually read it - If you miss class, then you get a zero for the quiz! - They will be via provided PDFs and/or online materials - Some of the "readings" may be podcasts to listen to ## What you must purcahse - There is no textbook for this course, only online materials ## Politics - Some of the discussion in this class will be regarding politics - Especially the policy discussion late next week - Although I have strong political opinions, I have always maintained strict political neutrality when teaching my classes - If you ever feel this is not the case, please let me know! - That being said, if something is stupid, I'm going to say so (generally something technology related) - I don't consider that politics -- just common sense ## Sensitive topics - Cybersecurity is closely tied to spam (a common vector), which is closely tied to pornography (a common means to get clicks) - We will be discussing these as well -- and yes, in a professional manner ## Honor policy - All assignments are individual assignments - You can talk at a high level about the assignment - You cannot look at anybody else's code prior to either of your submissions - Once you both have submitted it for the *FINAL* time, you may discuss code
## Computer Ethics - We must teach how attacks upon computer systems work in order to teach defenses against attacks - Information about attacks must NEVER be used to attack any computer system in any way ## Ethics Pledge - You will have to read and sign the ethics pledge - It should not be difficult to follow - Ethics will be covered in more detail later - You cannot continue in the course without signing the [ethics pledge](../uva/ethics-pledge.pdf)! - I'll provide the pledge print-outs and collect them in the next class or two ## Ethics Pledge Points - Unauthorized use of computer resources is forbidden - Even malware that does nothing but copy itself uses resources - Don't ever rationalize that a system owner won't object to your actions; ask permission - If you are afraid to ask permission, it must be forbidden! ## Example: [1988 Morris Worm](http://en.wikipedia.org/wiki/Morris_worm) - Creator rationalized that the worm did no damage - It only copied itself from system to system over the Internet - BUT: Copying monopolized system resources until they had to be shut down - Worm reached 10% of entire Internet - Creator did not realize it would be that resource-intensive - Creator was convicted of felonies! - And is now a professor at MIT. Go figure! ## Morris Worm Lessons - Consequences of a virus or worm cannot always be foreseen - Severe damage can be done without destroying data - Excessive resource usage is destructive enough to be criminal ## Criminal Prosecution - Attackers have been prosecuted for: - Stealing passwords, even if never used - Copying copyrighted materials - Accessing confidential data, even if it was never used for harmful purposes - Entering a system without permission, causing sys admins to spend time tracking them and securing the system, even without otherwise causing harm - Moral: Don't assume it is legally safe to do any of the above ## Ethics Violations - Violations by students endanger our ability to offer this course - As a result, they will be treated severely - UJC (University Judiciary Committee) - Course grades - Criminal prosecution ## ACM Code of Ethics - ACM is the primary professional organization for computer scientists - IEEE is the other - The entire code is available at http://www.acm.org/about/code-of-ethics ## Ethics Questions - Scenario: John Doe attempts to guess the password of a user of a system on which John Doe has no account. After a few guesses, he succeeds, but finds nothing of interest on the system and logs off. - Q1: Has he committed a crime? - Q2: Are his actions analogous to any common crime not involving computers?