Price/college
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cs-3113: add assignment 3

Browse Source
This commit is contained in:
Price Hiller 2024-11-12 01:02:13 -06:00
parent 1118e8ebc3
commit 87e7da1603
Signed by: Price
GPG Key ID: C3FADDE7A8534BEB
2 changed files with 428 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

264
Fall-2024/CS-3113/Assignments/3-Design-Principlies-EMP/Assignment.typ Normal file
View File

@ -0,0 +1,264 @@
#set text(font: "Calibri", 11pt)
#show link: set text(blue)
#set page(margin: 1in, number-align: right + top, "us-letter")
#let solve(solution) = {
block(
inset: 3pt,
outset: 1pt,
stroke: blue + .3pt,
fill: rgb(0, 149, 255, 15%),
radius: 4pt,
)[#solution]
}
#let solvein(solution) = {
let outset = 3pt
h(outset)
box(
outset: outset,
stroke: blue + .3pt,
fill: rgb(0, 149, 255, 15%),
radius: 4pt,
)[#solution]
}
#let note(content) = {
block(
inset: 3pt,
outset: 1pt,
stroke: luma(20%) + .3pt,
fill: luma(95%),
radius: 4pt,
)[#content]
}
#let notein(content) = {
let outset = 3pt
h(outset)
box(
outset: outset,
stroke: luma(20%) + .3pt,
fill: luma(95%),
radius: 4pt,
)[#content]
}
#align(
center,
[
#text(size: 1.2em, weight: "black")[
CS-3113 Principles of Cyber Security
Assignment 2: Design Principles and Electromagnetic Pulse, 50 points
]
#note()[#underline[Price Hiller] *|* #underline[zfp106]]
],
)
\
#show heading: set text(weight: "regular")
#show heading.where(level: 1): set text(fill: blue)
#show heading.where(level: 2): set text(fill: blue.lighten(30%))
#show heading.where(level: 3): set text(fill: white.darken(60%))
= Design Principles and Electromagnetic Pulse Assignment
== Purpose
Apply the Security Design Principles against a real-world example and discuss how secure (or insecure) the ecosystem is.
In addition, explore the impact of an electromagnetic pulse (EMP) to the nation's critical infrastructure - including
information systems.
== Assignment
=== Design Principles
The class spent several weeks examining the 11 General/Fundamental and Security Design Principles. While some examples
were provided, this assignment is going to have you apply those design principles to a real-world system the `NPM`
package manager. `NPM` is a package manager for JavaScript and there have been numerous incidents that illustrate the "ecosystem"
was not designed to be secure.
=== Electromagnetic Pulse (EMP)
On March 26, 2019, the President issued Executive Order 13865 "Coordinating National Resilience to Electromagnetic
Pulses." The purpose, found in Section 1 of this order is:
#box(inset: (
left: 2em,
))[*Section 1.* _Purpose. *An electromagnetic pulse (EMP) has the potential to disrupt, degrade, and damage technology and critical
infrastructure
systems.*_ Human-made or naturally occurring EMPs can affect large geographic areas, disrupting elements critical to the
Nation's security and economic prosperity, and could adversely affect global commerce and stability. The Federal
Government must foster sustainable, efficient, and cost-effective approaches to improving the Nation's resilience to the
effects of EMPs.]
(The combination of bolded and italics is my editing.)
*This assignment should be an individual effort. You may discuss the assignment with other students or individuals, but
all answers must be your own work and based on your own research/studying.*
== Deliverables
A report using reasonable document settings for font, margins, etc. that contains answers/responses to the questions
below.
Include appropriate references as footnotes, endnotes, or a references section.
#pagebreak()
= Questions
#enum(
[
*(20 points)* The npm (Node Package Manager) is a package manager for JavaScript. See the Wikipedia page here:
https://en.wikipedia.org/wiki/Npm_(software) The Wikipedia page lists several "Notable Breakages" including one from
January 2022 where the maintainer of the "colors" package purposely pushed a broken/malicious update. Almost 19,000
projects relied on this package and many applications were broken due to this update. More information here:
https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
In addition, there is a website that will create the dependency graph for various npm modules. It can be found here:
https://npmgraph.js.org/
To illustrate how a project can have a large number of dependencies, enter the "npm" module in the textbox at the top
right corner of the page. This will draw a graph showing the 185 modules that the npm module is dependent on (as of
06/27/2024) in order for it to function so you can see the overall complexity of npm itself.
#enum(
numbering: "a)",
[
*(2 points)* In what month and year was there a breakage involving a package that stole cryptocurrency?
#solve[The Lottie Player npm package created a new release that attempted to steal cryptocurrency. It was reported by "MrAhmedSayedAli",
a user on Github @lottie-player-gh-issue, the malicious version was pushed on October 30th, 2024.]
],
[
*(2 points)* Roughly how many downloads did the _colors_ library receive _per week_ on npm?
#solve[When the `colors` package pushed a malicious update it had "over 20 million weekly downloads".
@npm-colors-faker-breakage]
],
[
*(3 points)* How many modules does "`webche`" depend on if we include `devDependencies`?
#solve[The `webche` package on NPM depends on 1,482 other modules or 1,481 modules it depends on if we ignore the single top
level package (that being `webche` itself). @webche-deps]
],
[
*(3 points)* If someone spent even 15 minutes to verify each of the `webche` dependencies, how many weeks would that
take assuming someone is working 40 hours/week on this effort? (Answer in whole week numbers and always round upwards.
Ex: 33 or 34, not 32.64 or 33.13.)
#solve[
It would take approximately $10$ weeks to verify all of `webche`'s dependencies.
#note[$⌈((1482 ⋅ 15) ÷ 60) ÷ 40⌉ = 10$]
]
],
// TODO: DO THIS BELOW!!!
[
*(10 points)* Select 2 of the 11 general/fundamental and secure design principles and, in a total of 250-300 words, describe how those design principles are not properly applied/used in the "npm ecosystem."
#solve[
Two of the fundamental and secure design principles that the `npm` ecosystem violates are simplicity and the principle of least privilege.
Firstly, for simplicity, the `npm` ecosystem has a extraordinarily bad habit of creating tiny libraries that get reused in more important foundational libraries. There is an argument to not recreate the wheel, but some things are so trivial that its worth doing. Take for instance, the `left-pad` incident way back in 2016 @leftpad-incident. All `left-pad` does is pad the left side of strings. This is built in to format functions within Javascript rendering `left-pad` pointless. In fact, its _more complex_ to include `left-pad` in a project as it requires a full network call to download the package for what is, again, _already built in_. The `left-pad` package was unpublished from `npm` resulting in mass breakages across the entire `npm` ecosystem at the time. Many of these trivial libraries containing only a few lines of code would be _much_ better off not being included as a dependency and instead just written as part of a given package or application which avoids all breakages from said packages and reduces the number of dependencies.
Secondly, the `npm` ecosystem violates the principle of least privilege. A serious issue when installing `npm` packages is that they evaluate arbitrary scripts by default @npm-install-autorun. That means all code running in a node process on a server or being installed on any system can, _by default_, pull any information it desires off a system and mixed with the lack of sandboxing for network access they can further exfiltrate that information to an attack. Scripts should prompt before running at the minimum and network access should require some sort of elevation before the `npm` installer permits access at the very least.
]
],
)
],
[
*(20 points - 2 points each)* In 2-3 sentences each, define the following terms:
#enum(
numbering: "a)",
[
Continuity of Government (COG)
#solve[Continuity of Government is a coordinated effort to ensure that the nation's critical functions required to exist be
performed during a catastrophe. For instance, COG plans would be employed during a nuclear incident to ensure the
continued existence of the United States government.]
],
[
Continuity of Operations Plan (COOP)
#solve[Continuity of Operations Plans are shorter term plans that describe how an organization will carry out its essential
functions in the face of a disaster. These plans are carried out when recovering systems and organizational capacity
until enough recovery has occurred that a given organization can return to normal operations. @term-coop.]
],
[
Electromagnetic Spectrum (EMS)
#solve[As according to NASA, "the electromagnetic (EM) spectrum is the range of all types of EM radiation" @term-ems. In
essence, the EMS contains all known energies at various energy levels/frequencies that we know of, with radio waves
being at the lowest energy level and gamma rays having the highest energy level.]
],
[
Electromagnetic Pulse (EMP)
#solve[An EMP is a "burst of electromagnetic energy" @term-emp. They possess the capability to disrupt electronic (and possibly
other) systems.]
],
[
Geomagnetic Storm
#solve[A Geomagnetic Storm is a major disturbance of Earth's magnetosphere. They result from changes in solar wind from the Sun
and are known to cause failures in satellites. @term-gms]
],
[
High-altitude EMP (HEMP)
#solve[A HEMP is a "...man-made EMP that occurs when a nuclear device is detonated at approximately 40 kilometers or more above
the surface of [the] Earth." @term-hemp HEMPs also include a large scale EMP effect compared to other methods.]
],
[
Nuclear EMP (NEMP)
#solve[A nuclear EMP (NEMP) is an electromagnetic pulse produced by way of a nuclear detonation or a nuclear device. It may or
may not be deployed at high altitude. @term-nemp]
],
[
Non-nuclear EMP (NNEMP)
#solve[A non-nuclear EMP (NNEMP) is an electromagnetic originating from a non nuclear source. Typically the producers of NNEMPs
are high-power microwaves (HPMs) @hemp-threat-assessment.]
],
[
North American Electric Reliability Corporation (NERC)
#solve[The North American Electric Reliability Corporation (NERC) is an international non-profit formed to "assure the
effective and efficient reduction of risks to the reliability and security of the grid." NERC creates Reliability
Standards and their area of responsibility covers the United States, Canada, and the northern portion of Baja
California, Mexico. NERC is overseen by the federal Energy Regulatory Commission and creates guidance and standards for
all users, owners, and operators of bulk power systems like the electric grid. @term-nerc]
],
[
Federal Emergency Management Agency (FEMA)
#solve[FEMA is a government agency part of the Department of Homeland Security. Its raison d'être is to handle emergency
management and civil defense in the face of disasters. @term-fema]
],
)
],
[
*(6 points)* According to the NOAA G-scale for geomagnetic storms
(https://www.swpc.noaa.gov/sites/default/files/images/NOAAscales.pdf):
#enum(
numbering: "a)",
[
*(2 points)* Approximately how many _*years*_ are in a solar cycle?
#solve[There are approximately 11 years in a single solar cycle @noaa-scales.]
],
[
*(2 points)* In a single solar cycle, how many _*days*_ are expected to see a G-5 severity event?
#solve[In a single solar cycle, it is expected that 4 days will see a G-5 severity geomagnetic storm @noaa-scales.]
],
[
*(2 points)* What severity of event could cause an aurora to be visible in Tuscaloosa (Home of the Crimson Tide football
team)?
#solve[The city of Tuscaloosa which is the home of the Crimson Tide football team is located in Alabama @tuscaloosa-govt. Per
NOAA, a G-4 severity geomagnetic storm has been seen within Alabama @noaa-scales.]
],
)
],
[
*(4 points)* Are satellites vulnerable to geomagnetic storms? (Clarification: Only consider U.S. approved launches
NASA, Air Force/Space Force, SpaceX, etc. and not the losses from the European Space Agency.)
#enum(
numbering: "a)",
[#solve[
Yes
]
#note[Considering that SpaceX lost 40 of their satellites back in 2022 @spacex-storm-loss, and that the Center for Geospace
Storms is actively investing in MAGE @mage to detect storms and respond to them, it's a fair bet to say that U.S.
satellites are _still_ vulnerable to geomagnetic storms.]],
[No],
[Only those launched prior to June 15, 1993. Since that launch, all U.S. satellites have been hardened due to the effects—and subsequent regulations—of the March 1989 geomagnetic storm. No U.S. satellites launched after that date have
been affected by geomagnetic storms.],
)
],
)
#bibliography("bibliography.yml")

164
Fall-2024/CS-3113/Assignments/3-Design-Principlies-EMP/bibliography.yml Normal file
View File

@ -0,0 +1,164 @@
lottie-player-crypto-theft:
title: "Lottie Player npm package compromised for crypto wallet theft"
type: Web
date: 2024-10-31
url:
value: https://snyk.io/blog/lottie-player-npm-package-compromised-crypto-wallet-theft/
access: 2024-11-03
lottie-player-gh-issue:
title: " Malicious code in Lottie-Player CDN files #254 "
type: Web
date: 2024-10-30
url:
value: https://github.com/LottieFiles/lottie-player/issues/254
access: 2024-11-03
npm-colors-faker-breakage:
title: "Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps"
type: Web
date: 2022-01-09
url:
value: https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
access: 2024-11-03
webche-deps:
title: "Graph of `webche` dependencies from npmgraph"
type: Web
date: 2024-11-03
url:
value: https://npmgraph.js.org/?q=webche#deps=devDependencies
access: 2024-11-03
term-cog:
title: "Continuity of Government"
type: Web
url:
value: https://csrc.nist.gov/glossary/term/continuity_of_government
access: 2024-11-03
term-coop:
title: "Continuity of Operations Plan"
type: Web
url:
value: https://csrc.nist.gov/glossary/term/continuity_of_operations_plan
access: 2024-11-03
term-ems:
title: "Electromagnetic Spectrum"
type: Web
url:
value: https://imagine.gsfc.nasa.gov/science/toolbox/emspectrum1.html
access: 2024-11-03
term-emp:
title: "Electromagnetic Pulse"
type: Web
url:
value: https://www.federalregister.gov/documents/2019/03/29/2019-06325/coordinating-national-resilience-to-electromagnetic-pulses
access: 2024-11-03
term-gms:
title: "Geomagnetic Storm"
type: Web
url:
value: https://www.swpc.noaa.gov/phenomena/geomagnetic-storms
access: 2024-11-03
term-hemp:
title: "High-altitude EMP"
type: Web
url:
value: https://www.federalregister.gov/documents/2019/03/29/2019-06325/coordinating-national-resilience-to-electromagnetic-pulses
access: 2024-11-03
hemp-threat-assessment:
title: "High Altitude Electromagnetic Pulse (HEMP) and High Power Microwave (HPM) Devices: Threat Assessments"
type: article
date: 2008-07-21
pages: 26
page-range: 3
url:
value: https://apps.dtic.mil/sti/pdfs/ADA529982.pdf
access: 2024-11-03
term-nemp:
title: "Nuclear EMP"
type: article
date: 1971-03-01
publisher: Air Force Institute of Technology
pages: 200
author:
- Otho V. Kinsley
url:
value: https://apps.dtic.mil/sti/trecms/pdf/AD0735654.pdf
access: 2024-11-03
term-nnemp:
title: "Non-nuclear EMP"
type: Web
url:
value: https://none.local
access: 2024-11-03
term-nerc:
title: "North American Reliability Corporation"
type: Web
url:
value: https://www.nerc.com/AboutNERC/Pages/default.aspx
access: 2024-11-03
term-fema:
title: "Federal Emergency Management Agency"
type: Web
url:
value: https://www.fema.gov/about
access: 2024-11-03
noaa-scales:
title: "NOAA Space Weather Scales"
type: Web
url:
value: https://www.swpc.noaa.gov/sites/default/files/images/NOAAscales.pdf
access: 2024-11-03
tuscaloosa-govt:
title: "City of Tuscaloosa"
type: Web
url:
value: https://www.tuscaloosa.com/
access: 2024-11-03
mage:
title: "Multiscale Atmosphere-Geospace Environment Model"
type: Web
url:
value: https://cgs.jhuapl.edu/Models/mage.php
access: 2024-11-03
spacex-storm-loss:
title: "Solar Storm Knocks 40 SpaceX Satellites Out of OrbitSolar Storm Knocks 40 SpaceX Satellites Out of Orbit"
type: Web
url:
value: https://www.smithsonianmag.com/smart-news/solar-storm-knocks-40-spacex-satellites-out-of-orbit-180979566/
access: 2024-11-03
leftpad-incident:
title: "How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript"
type: Web
url:
value: https://www.theregister.com/2016/03/23/npm_left_pad_chaos/
access: 2024-11-03
npm-install-autorun:
title: "Npm Scripts"
type: Web
url:
value: https://docs.npmjs.com/cli/v10/using-npm/scripts#pre--post-scripts
access: 2024-11-03