Some basics of cybersecurity
Here are some basic concepts I find helpful when thinking about the security of a computer system, reading about new vulnerabilities, etc.
0. What is authentication?
Computer systems are protected using "authentication" - can you prove that you are a person who should be listened to or given access to data? Authentication is based on knowing secret numbers. If you can provide a number that only Alice should know, then you must be Alice. Every authentication system boils down to "guess which number I am thinking of, between 0 and 10", except ideally the range of possible answers is much larger than 10, so you can't really guess it. A "4-bit" key means that the number of possible values is 2 to the power of 4, which is 16. If you could guess one number every second, it would take you 16 seconds to guess the key. A "2048-bit" key means that the number of possible values is 2 to the power of 2048, which is... a larger number, and guessing such a key would be much more difficult. But there might be some flaw in the protocol which reduces the range of possible values, thus making an attack easier.
1. What is hacking?
"Hacking" computer systems is about tricking their algorithms into doing things they weren't designed to do. For example, suppose you are telling a "Knock knock" joke. The other person has to say "Who's there?" and then "X who?", where "X" is whatever you say. So if you say "Boo", then the person has to say "Boo who" and it sounds like they're crying ("boo hoo", haha). This is how the "Heartbleed" vulnerability worked, where "X" was two things together: a user-supplied string of characters and the number of characters in that string. So you could be cheeky and say "cupcake, 50", and the server would send you the string "cupcake" followed by 43 characters of whatever other information it had lying around in memory, often including some of the server's own secret numbers (see "0" above, not-so-haha).
2. Leaking information
An important theme in cybersecurity today is leaking information. This means that information is not directly revealed, but can be inferred. For example suppose you are a criminal boss and you want to break into a police database which holds the names and dates of birth of witnesses, because you want to know which of your lieutenants is snitching on you. Every time you search for someone, the database says "Access denied". But sometimes that error message comes back faster than others. Eventually you work out that the error takes longer to appear if a matching record exists. Maybe behind the scenes, the database is reading the record before deciding whether to allow access to it. It's the same error message, but the time it takes to respond varies according to secret information. Any observable behaviour which varies with secret information can be used to extract that secret information. You can now work out which of your lieutenants is snitching, by seeing which queries error out slower than others. All the time, the police can be proud that their access control is "working". But nonetheless they have leaked sensitive information out of the database.
领英推荐
3. Nominal vs effective privileges
Every user or process in a computer system has a set of privileges, being the things they are allowed to do, but sometimes they can escalate to additional privileges. For example, suppose a user has no reason to access a database, but they are the person in charge of adding and removing users to that database. They can add themselves as a user with access to the database! Another example is when a user has local administrative privileges on a server where another administrator (with more global privileges) is known to log in; depending on how the operating system is designed, the local administrator may be able to steal the global administrator's secret numbers (see "0" above) and exercise their greater privileges.
4. Always wear a hoodie when hacking. Or when reading about hacking.
The world needs more people who understand cybersecurity. Not just people working in "cybersecurity" roles or even just people in IT, but just generally people who understand cybersecurity. The prefix "cyber" doesn't mean "computers", it means "governance". Cybersecurity is about securing the way our world is governed -- which today involves a lot of computers, but also a lot of people.
The key to cybersecurity is thinking about how things might go wrong and how someone might exploit that -- and having a good set of abstractions for making such a complex thing tractable to think about.
If you have any questions please feel free to reach out here or at [email protected].