Computer Security Offense and Defense –

Best Practices

Sang-Yoon Chang

Assistant Professor

Computer Science

1

This material was developed by Sang-Yoon Chang and is intended for classroom discussion rather than to illustrate effective or ineffective handling of administrative, ethical, or legal decisions by management. No permission or compensation is needed for classroom use as long as it is acknowledged to be the creative work of the author and the UCCS Daniels Fund Ethics Initiative. For publication or electronic posting, please contact the UCCS Daniels Fund Ethics Initiative at 1-719-255-5168. (2017)

2DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang

Computer network Wireless communication

Computer security Applied Cryptography

3DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang

Computer security Applied Cryptography

Coursera/MOOC!

Computer network Wireless communication

Teaching Computer Security at UCCS

CS 4910: Introduction to Computer Security

CS 4920/5920: Applied Cryptography

(OCS 4920/5920: Applied Cryptography)

CS 5960: Wireless & Embedded Sys. Security

4DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang

Computer Security – Two Sides of a Coin

5DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang

Education focuses on defense

Imperative to understand the offense

Learn concepts, techniques, and tools that can

be used for offense

Computer Security – Two Sides of a Coin

6DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang

Education focuses on defense

Imperative to understand the offense

Learn concepts, techniques, and tools that can

be used for offense

White hat Black hatGrey hat

From Hero to Prisoner

7DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang

Robert Morris (Morris worm), 1988: The 1st to

get sentenced by cyber security law and then

now a MIT professor

Marcus Hutchins, 2017: From stopping

WannaCry (ransomware) to getting arrested

Grey hat

Teaching Computer Security at UCCS

CS 4910: Introduction to Computer Security

CS 4920/5920: Applied Cryptography

(OCS 4920/5920: Applied Cryptography)

CS 5960: Wireless & Embedded Sys. Security

8DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang

Teaching Computer Security at UCCS

CS 4910: Introduction to Computer Security

CS 4920/5920: Applied Cryptography

(OCS 4920/5920: Applied Cryptography)

CS 5960: Wireless & Embedded Sys. Security

9DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang

Course Projects by UCCS Students

Keystroke logger

Wireless keyboard logger

Mobile malware

Fake base station

Network intrusion and detection

Denial of service (flooding)

Bluetooth Low Energy eavesdropping

Database security and SQL injection

Game console hack

Drone control security

Etc.

DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 10

CS 4910 Fall 2016 (Before DFEI)

I knew ethics was important

Lecture on ethics based on the textbook chapter

Lecture at the end of the course

(CS 3050 - Social and Ethical Implications of

Computing)

DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 11

CS 4910 Fall 2016 (After DFEI)

Significant adaption from the textbook chapter

Lecture earlier in the course on 11/2 (1 week

after Project Proposal)

Greater focus on responsible practice and

responsible disclosure

Also discussed about general legal enforcement

and ethical guidelines for computing artifacts

DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 12

CS 4910 Fall 2016 (After DFEI)

Significant adaption from the textbook chapter

Lecture earlier in the course on 11/2 (1 week

after Project Proposal)

Greater focus on responsible practice and

responsible disclosure

Also discussed about general legal enforcement

and ethical guidelines for computing artifacts

DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 13

Responsible Disclosure

After the finding of the security vulnerability or a threat, disclose it to the vendor or regulation body in advance

The Rules by Ad Hoc Committee for Responsible Computing

Used a case study to present dilemma

DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 14

Case Study: Remote Car Hack

Remote car hacking (remotely taking control

over car) using remote connection

Miller/Valasek in 2015 vs. UCSD/UW in 2010

Incidents presented in a reverse-chronological

order from 2015 to 2010

And then the reflections in 2015 and 2016

DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 15

Chrysler Jeep Hack Incident in 2015

Charlie Miller and Chris Valasek in 2015

Publicized in Wired and published at Blackhat

Patches: software and networking (Sprint)

Chrysler recall 1.4 million cars

Copycat attacks, e.g., on BMW and TESLA

https://www.wired.com/2015/07/hackers-

remotely-kill-jeep-highway/

DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 16

Before 2015

Miller and Valasek in Defcon 2013

UCSD and UW in2010 and 2011

(USC and Rutgers in 2010)

DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 17

Before 2015

Miller and Valasek in Defcon 2013

UCSD and UW in2010 and 2011

(USC and Rutgers in 2010)

DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 18

Before 2015

Miller and Valasek in Defcon 2013

UCSD and UW in2010 and 2011

(USC and Rutgers in 2010)

DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 19

But no disclosure of the vendors andno code/details to reproduce the work

Wired Article 2015

From Wired: https://www.wired.com/2015/09/gm-took-5-years-fix-full-takeover-hack-millions-onstar-cars/

“When a pair of security researchers shows they could hack a jeep over the Internet earlier this summer to hijack its brakes and transmission, the impact was swift and explosive…”

“But when another group of researchers quitelypulled off that same automotive magic trick five years earlier, their work was answered with exactly none of those reactions…”

“Took GM 5 years to fix”

“Far ahead of its time”

DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 20

UCSD/UW in 2016

S. Savage at Enigma: the first time that they disclosed the actual vendors and model

https://www.youtube.com/watch?v=oiFnjuOYz3k

”Provide knowledge about problems, create some incentives to act on that knowledge, and do so in a way that minimizes real harm”

”Very little capacity to deal with the problem at the federal and the manufacturer level [at the time]”

Impact: GM “gets security religion” (CSO, 100 employees); SAE (standardization), NTHSA (lab)

DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 21

Limited Disclosure 2010 vs. Coordinated

Disclosure 2015

Conscious decision to make limited disclosure

Why limited disclosure in 2010?

The timing is critical

Information technology vs. operational

technology

Cyber-physical systems

DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 22

Responsible Disclosure

After the finding of the security vulnerability or a threat, disclose it to the vendor or regulation body in advance

The Rules by Ad Hoc Committee for Responsible Computing

Used a case study to present dilemma

DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 23

Responsible Disclosure

After the finding of the security vulnerability or a threat, disclose it to the vendor or regulation body in advance

The Rules by Ad Hoc Committee for Responsible Computing

Used a case study to present dilemma

DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang 24

Integrity Act with honesty Trust Trust with vendors, SAE, NHTSA, and DoTAccountability Responsible for the disclosure, or the non-disclosure, actionsTransparency Open/truthful interactions with vendors, SAE NHTSAFairness Consideration for the impact of the disclosureRespect Honor the property of vendors and the views of general publicRule of Law Research prototyping using owned possessionsViability Disclosure based on beliefs/values and raise awareness

Thank You

Sang-Yoon Chang

schang2@uccs.edu

http://www.uccs.edu/schang2

Thank you, DFEI!

25DFEI Ethics Roundtable Computer Security Ethics by Sang-Yoon Chang