cs-3113: add assignment 3
This commit is contained in:
parent
1118e8ebc3
commit
87e7da1603
@ -0,0 +1,264 @@
|
|||||||
|
#set text(font: "Calibri", 11pt)
|
||||||
|
#show link: set text(blue)
|
||||||
|
#set page(margin: 1in, number-align: right + top, "us-letter")
|
||||||
|
#let solve(solution) = {
|
||||||
|
block(
|
||||||
|
inset: 3pt,
|
||||||
|
outset: 1pt,
|
||||||
|
stroke: blue + .3pt,
|
||||||
|
fill: rgb(0, 149, 255, 15%),
|
||||||
|
radius: 4pt,
|
||||||
|
)[#solution]
|
||||||
|
}
|
||||||
|
|
||||||
|
#let solvein(solution) = {
|
||||||
|
let outset = 3pt
|
||||||
|
h(outset)
|
||||||
|
box(
|
||||||
|
outset: outset,
|
||||||
|
stroke: blue + .3pt,
|
||||||
|
fill: rgb(0, 149, 255, 15%),
|
||||||
|
radius: 4pt,
|
||||||
|
)[#solution]
|
||||||
|
}
|
||||||
|
|
||||||
|
#let note(content) = {
|
||||||
|
block(
|
||||||
|
inset: 3pt,
|
||||||
|
outset: 1pt,
|
||||||
|
stroke: luma(20%) + .3pt,
|
||||||
|
fill: luma(95%),
|
||||||
|
radius: 4pt,
|
||||||
|
)[#content]
|
||||||
|
}
|
||||||
|
|
||||||
|
#let notein(content) = {
|
||||||
|
let outset = 3pt
|
||||||
|
h(outset)
|
||||||
|
box(
|
||||||
|
outset: outset,
|
||||||
|
stroke: luma(20%) + .3pt,
|
||||||
|
fill: luma(95%),
|
||||||
|
radius: 4pt,
|
||||||
|
)[#content]
|
||||||
|
}
|
||||||
|
|
||||||
|
#align(
|
||||||
|
center,
|
||||||
|
[
|
||||||
|
#text(size: 1.2em, weight: "black")[
|
||||||
|
CS-3113 Principles of Cyber Security
|
||||||
|
|
||||||
|
Assignment 2: Design Principles and Electromagnetic Pulse, 50 points
|
||||||
|
]
|
||||||
|
|
||||||
|
#note()[#underline[Price Hiller] *|* #underline[zfp106]]
|
||||||
|
],
|
||||||
|
)
|
||||||
|
|
||||||
|
\
|
||||||
|
|
||||||
|
#show heading: set text(weight: "regular")
|
||||||
|
#show heading.where(level: 1): set text(fill: blue)
|
||||||
|
#show heading.where(level: 2): set text(fill: blue.lighten(30%))
|
||||||
|
#show heading.where(level: 3): set text(fill: white.darken(60%))
|
||||||
|
|
||||||
|
= Design Principles and Electromagnetic Pulse Assignment
|
||||||
|
|
||||||
|
== Purpose
|
||||||
|
Apply the Security Design Principles against a real-world example and discuss how secure (or insecure) the ecosystem is.
|
||||||
|
In addition, explore the impact of an electromagnetic pulse (EMP) to the nation's critical infrastructure - including
|
||||||
|
information systems.
|
||||||
|
|
||||||
|
== Assignment
|
||||||
|
=== Design Principles
|
||||||
|
|
||||||
|
The class spent several weeks examining the 11 General/Fundamental and Security Design Principles. While some examples
|
||||||
|
were provided, this assignment is going to have you apply those design principles to a real-world system – the `NPM`
|
||||||
|
package manager. `NPM` is a package manager for JavaScript and there have been numerous incidents that illustrate the "ecosystem"
|
||||||
|
was not designed to be secure.
|
||||||
|
|
||||||
|
=== Electromagnetic Pulse (EMP)
|
||||||
|
On March 26, 2019, the President issued Executive Order 13865 "Coordinating National Resilience to Electromagnetic
|
||||||
|
Pulses." The purpose, found in Section 1 of this order is:
|
||||||
|
|
||||||
|
#box(inset: (
|
||||||
|
left: 2em,
|
||||||
|
))[*Section 1.* _Purpose. *An electromagnetic pulse (EMP) has the potential to disrupt, degrade, and damage technology and critical
|
||||||
|
infrastructure
|
||||||
|
systems.*_ Human-made or naturally occurring EMPs can affect large geographic areas, disrupting elements critical to the
|
||||||
|
Nation's security and economic prosperity, and could adversely affect global commerce and stability. The Federal
|
||||||
|
Government must foster sustainable, efficient, and cost-effective approaches to improving the Nation's resilience to the
|
||||||
|
effects of EMPs.]
|
||||||
|
|
||||||
|
(The combination of bolded and italics is my editing.)
|
||||||
|
|
||||||
|
*This assignment should be an individual effort. You may discuss the assignment with other students or individuals, but
|
||||||
|
all answers must be your own work – and based on your own research/studying.*
|
||||||
|
|
||||||
|
== Deliverables
|
||||||
|
A report using reasonable document settings for font, margins, etc. that contains answers/responses to the questions
|
||||||
|
below.
|
||||||
|
|
||||||
|
Include appropriate references as footnotes, endnotes, or a references section.
|
||||||
|
#pagebreak()
|
||||||
|
|
||||||
|
= Questions
|
||||||
|
|
||||||
|
#enum(
|
||||||
|
[
|
||||||
|
*(20 points)* The npm (Node Package Manager) is a package manager for JavaScript. See the Wikipedia page here:
|
||||||
|
https://en.wikipedia.org/wiki/Npm_(software) The Wikipedia page lists several "Notable Breakages" including one from
|
||||||
|
January 2022 where the maintainer of the "colors" package purposely pushed a broken/malicious update. Almost 19,000
|
||||||
|
projects relied on this package and many applications were broken due to this update. More information here:
|
||||||
|
https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
|
||||||
|
|
||||||
|
In addition, there is a website that will create the dependency graph for various npm modules. It can be found here:
|
||||||
|
https://npmgraph.js.org/
|
||||||
|
|
||||||
|
To illustrate how a project can have a large number of dependencies, enter the "npm" module in the textbox at the top
|
||||||
|
right corner of the page. This will draw a graph showing the 185 modules that the npm module is dependent on (as of
|
||||||
|
06/27/2024) in order for it to function so you can see the overall complexity of npm itself.
|
||||||
|
|
||||||
|
#enum(
|
||||||
|
numbering: "a)",
|
||||||
|
[
|
||||||
|
*(2 points)* In what month and year was there a breakage involving a package that stole cryptocurrency?
|
||||||
|
#solve[The Lottie Player npm package created a new release that attempted to steal cryptocurrency. It was reported by "MrAhmedSayedAli",
|
||||||
|
a user on Github @lottie-player-gh-issue, the malicious version was pushed on October 30th, 2024.]
|
||||||
|
],
|
||||||
|
[
|
||||||
|
*(2 points)* Roughly how many downloads did the _colors_ library receive _per week_ on npm?
|
||||||
|
#solve[When the `colors` package pushed a malicious update it had "over 20 million weekly downloads".
|
||||||
|
@npm-colors-faker-breakage]
|
||||||
|
],
|
||||||
|
[
|
||||||
|
*(3 points)* How many modules does "`webche`" depend on if we include `devDependencies`?
|
||||||
|
#solve[The `webche` package on NPM depends on 1,482 other modules or 1,481 modules it depends on if we ignore the single top
|
||||||
|
level package (that being `webche` itself). @webche-deps]
|
||||||
|
],
|
||||||
|
[
|
||||||
|
*(3 points)* If someone spent even 15 minutes to verify each of the `webche` dependencies, how many weeks would that
|
||||||
|
take – assuming someone is working 40 hours/week on this effort? (Answer in whole week numbers and always round upwards.
|
||||||
|
Ex: 33 or 34, not 32.64 or 33.13.)
|
||||||
|
#solve[
|
||||||
|
It would take approximately $10$ weeks to verify all of `webche`'s dependencies.
|
||||||
|
#note[$⌈((1482 ⋅ 15) ÷ 60) ÷ 40⌉ = 10$]
|
||||||
|
]
|
||||||
|
],
|
||||||
|
// TODO: DO THIS BELOW!!!
|
||||||
|
[
|
||||||
|
*(10 points)* Select 2 of the 11 general/fundamental and secure design principles and, in a total of 250-300 words, describe how those design principles are not properly applied/used in the "npm ecosystem."
|
||||||
|
|
||||||
|
#solve[
|
||||||
|
Two of the fundamental and secure design principles that the `npm` ecosystem violates are simplicity and the principle of least privilege.
|
||||||
|
|
||||||
|
Firstly, for simplicity, the `npm` ecosystem has a extraordinarily bad habit of creating tiny libraries that get reused in more important foundational libraries. There is an argument to not recreate the wheel, but some things are so trivial that its worth doing. Take for instance, the `left-pad` incident way back in 2016 @leftpad-incident. All `left-pad` does is pad the left side of strings. This is built in to format functions within Javascript rendering `left-pad` pointless. In fact, its _more complex_ to include `left-pad` in a project as it requires a full network call to download the package for what is, again, _already built in_. The `left-pad` package was unpublished from `npm` resulting in mass breakages across the entire `npm` ecosystem at the time. Many of these trivial libraries containing only a few lines of code would be _much_ better off not being included as a dependency and instead just written as part of a given package or application which avoids all breakages from said packages and reduces the number of dependencies.
|
||||||
|
|
||||||
|
Secondly, the `npm` ecosystem violates the principle of least privilege. A serious issue when installing `npm` packages is that they evaluate arbitrary scripts by default @npm-install-autorun. That means all code running in a node process on a server or being installed on any system can, _by default_, pull any information it desires off a system and mixed with the lack of sandboxing for network access they can further exfiltrate that information to an attack. Scripts should prompt before running at the minimum and network access should require some sort of elevation before the `npm` installer permits access at the very least.
|
||||||
|
]
|
||||||
|
],
|
||||||
|
)
|
||||||
|
],
|
||||||
|
[
|
||||||
|
*(20 points - 2 points each)* In 2-3 sentences each, define the following terms:
|
||||||
|
#enum(
|
||||||
|
numbering: "a)",
|
||||||
|
[
|
||||||
|
Continuity of Government (COG)
|
||||||
|
#solve[Continuity of Government is a coordinated effort to ensure that the nation's critical functions required to exist be
|
||||||
|
performed during a catastrophe. For instance, COG plans would be employed during a nuclear incident to ensure the
|
||||||
|
continued existence of the United States government.]
|
||||||
|
],
|
||||||
|
[
|
||||||
|
Continuity of Operations Plan (COOP)
|
||||||
|
#solve[Continuity of Operations Plans are shorter term plans that describe how an organization will carry out its essential
|
||||||
|
functions in the face of a disaster. These plans are carried out when recovering systems and organizational capacity
|
||||||
|
until enough recovery has occurred that a given organization can return to normal operations. @term-coop.]
|
||||||
|
],
|
||||||
|
[
|
||||||
|
Electromagnetic Spectrum (EMS)
|
||||||
|
#solve[As according to NASA, "the electromagnetic (EM) spectrum is the range of all types of EM radiation" @term-ems. In
|
||||||
|
essence, the EMS contains all known energies at various energy levels/frequencies that we know of, with radio waves
|
||||||
|
being at the lowest energy level and gamma rays having the highest energy level.]
|
||||||
|
],
|
||||||
|
[
|
||||||
|
Electromagnetic Pulse (EMP)
|
||||||
|
#solve[An EMP is a "burst of electromagnetic energy" @term-emp. They possess the capability to disrupt electronic (and possibly
|
||||||
|
other) systems.]
|
||||||
|
],
|
||||||
|
[
|
||||||
|
Geomagnetic Storm
|
||||||
|
#solve[A Geomagnetic Storm is a major disturbance of Earth's magnetosphere. They result from changes in solar wind from the Sun
|
||||||
|
and are known to cause failures in satellites. @term-gms]
|
||||||
|
],
|
||||||
|
[
|
||||||
|
High-altitude EMP (HEMP)
|
||||||
|
#solve[A HEMP is a "...man-made EMP that occurs when a nuclear device is detonated at approximately 40 kilometers or more above
|
||||||
|
the surface of [the] Earth." @term-hemp HEMPs also include a large scale EMP effect compared to other methods.]
|
||||||
|
],
|
||||||
|
[
|
||||||
|
Nuclear EMP (NEMP)
|
||||||
|
#solve[A nuclear EMP (NEMP) is an electromagnetic pulse produced by way of a nuclear detonation or a nuclear device. It may or
|
||||||
|
may not be deployed at high altitude. @term-nemp]
|
||||||
|
],
|
||||||
|
[
|
||||||
|
Non-nuclear EMP (NNEMP)
|
||||||
|
#solve[A non-nuclear EMP (NNEMP) is an electromagnetic originating from a non nuclear source. Typically the producers of NNEMPs
|
||||||
|
are high-power microwaves (HPMs) @hemp-threat-assessment.]
|
||||||
|
],
|
||||||
|
[
|
||||||
|
North American Electric Reliability Corporation (NERC)
|
||||||
|
#solve[The North American Electric Reliability Corporation (NERC) is an international non-profit formed to "assure the
|
||||||
|
effective and efficient reduction of risks to the reliability and security of the grid." NERC creates Reliability
|
||||||
|
Standards and their area of responsibility covers the United States, Canada, and the northern portion of Baja
|
||||||
|
California, Mexico. NERC is overseen by the federal Energy Regulatory Commission and creates guidance and standards for
|
||||||
|
all users, owners, and operators of bulk power systems like the electric grid. @term-nerc]
|
||||||
|
],
|
||||||
|
[
|
||||||
|
Federal Emergency Management Agency (FEMA)
|
||||||
|
#solve[FEMA is a government agency part of the Department of Homeland Security. Its raison d'être is to handle emergency
|
||||||
|
management and civil defense in the face of disasters. @term-fema]
|
||||||
|
],
|
||||||
|
)
|
||||||
|
],
|
||||||
|
[
|
||||||
|
*(6 points)* According to the NOAA G-scale for geomagnetic storms
|
||||||
|
(https://www.swpc.noaa.gov/sites/default/files/images/NOAAscales.pdf):
|
||||||
|
#enum(
|
||||||
|
numbering: "a)",
|
||||||
|
[
|
||||||
|
*(2 points)* Approximately how many _*years*_ are in a solar cycle?
|
||||||
|
#solve[There are approximately 11 years in a single solar cycle @noaa-scales.]
|
||||||
|
],
|
||||||
|
[
|
||||||
|
*(2 points)* In a single solar cycle, how many _*days*_ are expected to see a G-5 severity event?
|
||||||
|
#solve[In a single solar cycle, it is expected that 4 days will see a G-5 severity geomagnetic storm @noaa-scales.]
|
||||||
|
],
|
||||||
|
[
|
||||||
|
*(2 points)* What severity of event could cause an aurora to be visible in Tuscaloosa (Home of the Crimson Tide football
|
||||||
|
team)?
|
||||||
|
#solve[The city of Tuscaloosa which is the home of the Crimson Tide football team is located in Alabama @tuscaloosa-govt. Per
|
||||||
|
NOAA, a G-4 severity geomagnetic storm has been seen within Alabama @noaa-scales.]
|
||||||
|
],
|
||||||
|
)
|
||||||
|
],
|
||||||
|
[
|
||||||
|
*(4 points)* Are satellites vulnerable to geomagnetic storms? (Clarification: Only consider U.S. approved launches –
|
||||||
|
NASA, Air Force/Space Force, SpaceX, etc. and not the losses from the European Space Agency.)
|
||||||
|
#enum(
|
||||||
|
numbering: "a)",
|
||||||
|
[#solve[
|
||||||
|
Yes
|
||||||
|
]
|
||||||
|
#note[Considering that SpaceX lost 40 of their satellites back in 2022 @spacex-storm-loss, and that the Center for Geospace
|
||||||
|
Storms is actively investing in MAGE @mage to detect storms and respond to them, it's a fair bet to say that U.S.
|
||||||
|
satellites are _still_ vulnerable to geomagnetic storms.]],
|
||||||
|
[No],
|
||||||
|
[Only those launched prior to June 15, 1993. Since that launch, all U.S. satellites have been hardened due to the effects—and subsequent regulations—of the March 1989 geomagnetic storm. No U.S. satellites launched after that date have
|
||||||
|
been affected by geomagnetic storms.],
|
||||||
|
)
|
||||||
|
],
|
||||||
|
)
|
||||||
|
|
||||||
|
#bibliography("bibliography.yml")
|
@ -0,0 +1,164 @@
|
|||||||
|
lottie-player-crypto-theft:
|
||||||
|
title: "Lottie Player npm package compromised for crypto wallet theft"
|
||||||
|
type: Web
|
||||||
|
date: 2024-10-31
|
||||||
|
url:
|
||||||
|
value: https://snyk.io/blog/lottie-player-npm-package-compromised-crypto-wallet-theft/
|
||||||
|
access: 2024-11-03
|
||||||
|
|
||||||
|
|
||||||
|
lottie-player-gh-issue:
|
||||||
|
title: " Malicious code in Lottie-Player CDN files #254 "
|
||||||
|
type: Web
|
||||||
|
date: 2024-10-30
|
||||||
|
url:
|
||||||
|
value: https://github.com/LottieFiles/lottie-player/issues/254
|
||||||
|
access: 2024-11-03
|
||||||
|
|
||||||
|
npm-colors-faker-breakage:
|
||||||
|
title: "Dev corrupts NPM libs 'colors' and 'faker' breaking thousands of apps"
|
||||||
|
type: Web
|
||||||
|
date: 2022-01-09
|
||||||
|
url:
|
||||||
|
value: https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
|
||||||
|
access: 2024-11-03
|
||||||
|
|
||||||
|
webche-deps:
|
||||||
|
title: "Graph of `webche` dependencies from npmgraph"
|
||||||
|
type: Web
|
||||||
|
date: 2024-11-03
|
||||||
|
url:
|
||||||
|
value: https://npmgraph.js.org/?q=webche#deps=devDependencies
|
||||||
|
access: 2024-11-03
|
||||||
|
|
||||||
|
term-cog:
|
||||||
|
title: "Continuity of Government"
|
||||||
|
type: Web
|
||||||
|
url:
|
||||||
|
value: https://csrc.nist.gov/glossary/term/continuity_of_government
|
||||||
|
access: 2024-11-03
|
||||||
|
|
||||||
|
term-coop:
|
||||||
|
title: "Continuity of Operations Plan"
|
||||||
|
type: Web
|
||||||
|
url:
|
||||||
|
value: https://csrc.nist.gov/glossary/term/continuity_of_operations_plan
|
||||||
|
access: 2024-11-03
|
||||||
|
|
||||||
|
term-ems:
|
||||||
|
title: "Electromagnetic Spectrum"
|
||||||
|
type: Web
|
||||||
|
url:
|
||||||
|
value: https://imagine.gsfc.nasa.gov/science/toolbox/emspectrum1.html
|
||||||
|
access: 2024-11-03
|
||||||
|
|
||||||
|
term-emp:
|
||||||
|
title: "Electromagnetic Pulse"
|
||||||
|
type: Web
|
||||||
|
url:
|
||||||
|
value: https://www.federalregister.gov/documents/2019/03/29/2019-06325/coordinating-national-resilience-to-electromagnetic-pulses
|
||||||
|
access: 2024-11-03
|
||||||
|
|
||||||
|
term-gms:
|
||||||
|
title: "Geomagnetic Storm"
|
||||||
|
type: Web
|
||||||
|
url:
|
||||||
|
value: https://www.swpc.noaa.gov/phenomena/geomagnetic-storms
|
||||||
|
access: 2024-11-03
|
||||||
|
|
||||||
|
term-hemp:
|
||||||
|
title: "High-altitude EMP"
|
||||||
|
type: Web
|
||||||
|
url:
|
||||||
|
value: https://www.federalregister.gov/documents/2019/03/29/2019-06325/coordinating-national-resilience-to-electromagnetic-pulses
|
||||||
|
access: 2024-11-03
|
||||||
|
|
||||||
|
hemp-threat-assessment:
|
||||||
|
title: "High Altitude Electromagnetic Pulse (HEMP) and High Power Microwave (HPM) Devices: Threat Assessments"
|
||||||
|
type: article
|
||||||
|
date: 2008-07-21
|
||||||
|
pages: 26
|
||||||
|
page-range: 3
|
||||||
|
url:
|
||||||
|
value: https://apps.dtic.mil/sti/pdfs/ADA529982.pdf
|
||||||
|
access: 2024-11-03
|
||||||
|
|
||||||
|
term-nemp:
|
||||||
|
title: "Nuclear EMP"
|
||||||
|
type: article
|
||||||
|
date: 1971-03-01
|
||||||
|
publisher: Air Force Institute of Technology
|
||||||
|
pages: 200
|
||||||
|
author:
|
||||||
|
- Otho V. Kinsley
|
||||||
|
url:
|
||||||
|
value: https://apps.dtic.mil/sti/trecms/pdf/AD0735654.pdf
|
||||||
|
access: 2024-11-03
|
||||||
|
|
||||||
|
term-nnemp:
|
||||||
|
title: "Non-nuclear EMP"
|
||||||
|
type: Web
|
||||||
|
url:
|
||||||
|
value: https://none.local
|
||||||
|
access: 2024-11-03
|
||||||
|
|
||||||
|
term-nerc:
|
||||||
|
title: "North American Reliability Corporation"
|
||||||
|
type: Web
|
||||||
|
url:
|
||||||
|
value: https://www.nerc.com/AboutNERC/Pages/default.aspx
|
||||||
|
access: 2024-11-03
|
||||||
|
|
||||||
|
term-fema:
|
||||||
|
title: "Federal Emergency Management Agency"
|
||||||
|
type: Web
|
||||||
|
url:
|
||||||
|
value: https://www.fema.gov/about
|
||||||
|
access: 2024-11-03
|
||||||
|
|
||||||
|
|
||||||
|
noaa-scales:
|
||||||
|
title: "NOAA Space Weather Scales"
|
||||||
|
type: Web
|
||||||
|
url:
|
||||||
|
value: https://www.swpc.noaa.gov/sites/default/files/images/NOAAscales.pdf
|
||||||
|
access: 2024-11-03
|
||||||
|
|
||||||
|
tuscaloosa-govt:
|
||||||
|
title: "City of Tuscaloosa"
|
||||||
|
type: Web
|
||||||
|
url:
|
||||||
|
value: https://www.tuscaloosa.com/
|
||||||
|
access: 2024-11-03
|
||||||
|
|
||||||
|
|
||||||
|
mage:
|
||||||
|
title: "Multiscale Atmosphere-Geospace Environment Model"
|
||||||
|
type: Web
|
||||||
|
url:
|
||||||
|
value: https://cgs.jhuapl.edu/Models/mage.php
|
||||||
|
access: 2024-11-03
|
||||||
|
|
||||||
|
|
||||||
|
spacex-storm-loss:
|
||||||
|
title: "Solar Storm Knocks 40 SpaceX Satellites Out of OrbitSolar Storm Knocks 40 SpaceX Satellites Out of Orbit"
|
||||||
|
type: Web
|
||||||
|
url:
|
||||||
|
value: https://www.smithsonianmag.com/smart-news/solar-storm-knocks-40-spacex-satellites-out-of-orbit-180979566/
|
||||||
|
access: 2024-11-03
|
||||||
|
|
||||||
|
|
||||||
|
leftpad-incident:
|
||||||
|
title: "How one developer just broke Node, Babel and thousands of projects in 11 lines of JavaScript"
|
||||||
|
type: Web
|
||||||
|
url:
|
||||||
|
value: https://www.theregister.com/2016/03/23/npm_left_pad_chaos/
|
||||||
|
access: 2024-11-03
|
||||||
|
|
||||||
|
|
||||||
|
npm-install-autorun:
|
||||||
|
title: "Npm Scripts"
|
||||||
|
type: Web
|
||||||
|
url:
|
||||||
|
value: https://docs.npmjs.com/cli/v10/using-npm/scripts#pre--post-scripts
|
||||||
|
access: 2024-11-03
|
Loading…
Reference in New Issue
Block a user