01:090:101 section 51 Hill-248, T3:20-4:40, starting September 1 01: hello, you must be new here: introduction to the course, terminology, hand out rules for game (for week 2). Passwords, good and bad. How many to have, assumptions about loss, and what to do. Democratic Party voter threats. Analysis of DOS attack against Rutgers, 2014/2015. MTM/DNS redirect roleplay (see 'mtm-presentation'), Phishing; Spearphishing. Risks of bad security - stolen money, bad voting, loss of control of machines (centrifuges, cars, electoral grids, networks, stock exchanges, national security), IRS use as a political action arm (because too much information was available to political operatives masquerading as government employees, and could act to damage political rights of those they didn’t like). The massive number of people affected (e.g. ‘top 5 hacks’) Smaller than you think: raspberry pi’s, cameras, wifi snorting - show it in operation 02: How to get infected: email, web download, usb key (stuxnet), "patches" (e.g. KB302 'fix' from microsoft that caused more problems than it fixed.) shall we play a game?: play of “d0x3d!” a cooperative hacking card game (www.d0xed.com.) I’ll print out the pieces and make five game-sets. 03: the mindfield: discussion of what the game showed, and its reality-based components. Keyboard loggers. Net-sniffers. The problem with erasing data forever on the 'net (that is, if it is deleted its gone forever, unlike paper.) Cookie analysis. Lying: statistics, outright lying, misleading data (the useless graphic), the war(s) for the soul of wikipedia. ALT 04: Presentation via the web. The "web" of you: Name, SSN, Address, Mother's Maiden Name, bank account, credit card, birthday, car you drive, likes, dislikes, porn (Ashley Madison), email (what do you put in email? Who has access to it?), password(s - you do have several, right?), tax information (how much you make, what's your health like?) lifestyle information (what do you buy?), medical information, genetic information (e.g. "trace your genetic ancestry" services; US Military) Who has it? (legitimately) Could they do something illegitimate with it? (e.g. sell your postal and email address) Who has it? (stolen) What could they do with it? Who did you give it to, that you probably shouldn't have (credit cards for 10 percent off, that you never intend to use again)? Why? What can be done with what you gave away? Rent a car Open a bank account Steal your existing money buy things with credit cards they create Vote in your name Get a job in your name Steal from your friends (phishing/virusing) deny you insurance (dna procivities), deny you employement (same) Is it too late? Good practices for the "web of you." Projects: present on a recent (for some definition) identity theft and actual theft event. Teams of two. Think about which one. Tell about what you picked next week. OLD 04: I gotta do what?: handing out presentation projects to teams of two (or Interpret and present on data handed to you by us): how-to’s of things; historical events, and so on. Sql injection, cross-site web stuff, historical vulnerabilities. Stegiography (see "notes") ALT 05: Projects: present on a recent (for some definition) identity theft and actual theft event. Teams of two. Think about which one. Tell about what you picked next week. Game: free-form game of “what can I do with”. Presented with an ‘in’ on a person, how would you go about getting more information, and then using it? 1) username/password on email account (and nothing else) 2) that the wifi in your building is unprotected 3) SSN/Name 4) Nothing On the web, you live forever, sort of -- the difficulty of removing wrong information, the ease of "erasure" if a server is turned off. The battle for the soul of wikipedia. The morality of wikileaks-like servers. Who decides what is 'truth'? Is "scientific consensus" a valid measure? (Plate technonics, Piltdown man, etc.) Who said "In questions of science the authority of a thousand is not worth the humble reasoning of a single individual”. (Galelio) Ignaz Semmelweis proposed (1847) washing a doctors hands before dealing with child births to cut infection risks. He was ignored, because of 'scientific consensus'. Indeed, 18 years later he was put in an insane asylum and beaten to death by the guards there. OLD 05: with this, I shall rule the world: Using a web-based attack simulator (of which there are a surprising number), we’ll try to break into things. This session will be giving out tools in the game descriptions, and discussion of attack methodology. Worms, trojan horses, zombie-nets. ALT 06: Social Media: What are "bad practices". What are "good"? Is the perceived lack of privacy with social media bad, or just a new view of social interaction? Is there a "push away" from personal contact because of alternative means of interacting (by social media)? What new social media is coming (that you can imagine)? Are they good, or bad? (e.g. "Surrogates") How would you 'start over' with personal information? It's a mess now. Is there an alternative? OLD 06: Web simulation attack (whole class) ALT 07: The other side of the curtain: What are the responsibilities of the holder of personal data? Corporate? Non-profit? Governmental? (Local, State, Federal) What penalties (if any) should be placed on holders of data that don't (which is currently, none at all.) OLD 07: Defense: Personal, computer, network. How would you defend a network against the bad guys? How do you defend your own machine and its communications? How do you defend your personal information? 08: Q&A about presentations. Kali linux (attack tools freely available). For-pay attack tools. Black hat versus White hat hacking. Organized crime. 09: Presentations #1: (randomly selected) groups give presentations 10: Presentations #2: (randomly selected) groups give presentations.