Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Introduction 1 Network Security Introduction to Security Problems & Malware Text: Computer Security: Principles and Practice Chapter 7 Objectives: The student shall learn to: Describe the 3 goals of security. Define hacking, cracking, attack, control, social engineering, script kiddies, whitehat hacker, cyberterrorist, cyberwar, biometrics, phishing. Describe why ‘ethical’ hackers are not completely ethical. Define and provide examples for: Principle of Weakest Link, layered defense, social engineering, Denial Of Service, and Distributed Denial Of Service. Define and describe logic bomb, worm, virus, trojan horse, bacteria/rabbit, trapdoor, salami attack, and covert channel. Define and describe stealth virus, polymorphic virus, macro virus, boot sector virus Class Time: The class shall be conducted as follows: Syllabus & Projects Intro to Security Problems Intro to Social Engineering - Exercise Total 1 hour 1 hour 1 hour 3 hours Introduction 2 Introduction 2009: CSI/FBI Computer Crime and Security Survey Losses: $234,244 average per respondent (185 respondents): Top 3 in $ Wireless Exploit ($770K – 7.6%) Theft of Personal Information ($710K – 16%) Financial Fraud ($450K – 19.5%) Top in % Organizations Experienced: Malware Infection (64.3%) Laptop or mobile H/W theft (42.2%) Phishing in which organization was fraudulently represented as sender (34%) Insider abuse of Net access or e-mail (29.7%) Denial of Service (29.2%) Bots (zombies) within the organization (23%) Financial Fraud ($450K – 19.5%) Password sniffing (17.3%) Theft of Personal Information ($710K – 16%) Unauthorized access to information by insider (14%) Web site defacement (14%) Wireless Network Exploit ($770 - 7.6%) Instant messaging misuse (7.6%) DNS server exploit (7%) Top 20 list: www.sans.org/top20.htm Other interesting statistics (2009 CSI/FBI Computer Crime and Security Survey): 71% indicate that their organizations do not outsource any computer security functions. Only 7.7% categorized their organizations as “health services”, but 57.1% said they had to comply with HIPAA. 76% of organizations encounter losses due to non-malicious insiders, while 43% encounter losses due to malicious insiders. 86% of organizations would not hire a reformed hacker (2006) Introduction Security Goals: Confidentiality: Accessible for reading by authorized parties only. Integrity: Assets can be modified by authorized parties only. Accurate, consistent, modified in authorized ways Availability: Assets are available to authorized parties. Timely and usable Threats include: Interruption: Asset is destroyed or becomes unavailable or unusable. Interception: Unauthorized party gains access to an asset: Eavesdropping Modification: An unauthorized party tampers with an asset. Fabrication: An unauthorized party inserts counterfeit objects into the system. These can apply to data, hardware software Discussion: Which threats are related to which security requirements? Types of threats: Passive threats: Confidentiality/Interception Goal: to obtain information: Eavesdropping or monitoring Includes: Release of message contents. Traffic analysis: Attacker determines the location and identity of communicating hosts and the frequency and length of messages being exchanged. Can guess the nature of communication. Active threats: Interruption, Modification, Fabrication. Includes: Message-stream modification: Message is reworded or reordered. Original: Allow John Smith to read confidential accounts Modified: Allow Fred Brown to read confidential accounts Denial of Service: E.g. Suppress messages to a destination Disrupt entire network. Masquerade or Spoofing: One entity pretends to be a different entity. Capture and replay an authentication sequence. Packet Replay: A past packet is transmitted again in order to gain access or otherwise cause damage Data is the most common, serious threat Integrity: Incorrect data can be life-threatening: flight coordinate data, medical data Example: Salami Attack: Shave off a little from many accounts to accumulate in a single large account Confidentiality: Customer data information can result in loss of customers Availability: Stalled business opportunities 3 Introduction 4 Vulnerability: A weakness in the security system Attack: A person exploits a vulnerability Control: A protective measure (action, device, or technique for reducing vulnerabilities). Social Engineering: Tricking employees to give information or perform action Tell me your mother’s maiden name I am your director/sys admin. Tell me your password Email from ‘friend’ or ‘antivirus company’ holds virus. US General Accounting Office in a test obtained passwords from many federal agencies. Phishing: Spoofed emails/website requesting information such as financial data, social security number, account names and passwords Hacking: Intentionally accessing a computer without authorization or using the computer beyond authorized permission. Previous definition: Performing a difficult task with expertise: “hacking a solution” Cracking: Alternate term indicating illegal access to a computer. Denial of Service (DoS) Attacks Single-Message DoS Attacks: Crash or disable system by attacking vulnerability Flooding DoS Attack: Flood victim with requests SYN Flooding: Flood victim host with TCP SYNs (which initiate session). Smurf Attack: Broadcast Pings to third parties with source address of victim host Distributed DoS (DDOS): Three layers of attack: Victim: The attacked node Zombie: Performs attack on victim (via SYN flood, smurf attack, …) Handler: Notifies zombies to perform attack Attacker: Notifies handlers to start attack IP Address Spoofing: Lying about your source IP address (Possible when you don't need a reply) Problem: DoS looks like valid requests. Must disable DoS attacks at the source. Introduction 5 Attackers Computer Criminals: Ordinary people of all shapes, education levels, social levels, out for revenge, fun, profit Amateurs: People with access to something valuable Employees, Contractors Financial theft, trade secret theft, sabotage Crackers: People who enjoy cracking computer defenses for fun, curiosity, self-satisfaction Elite hacker: Have technical expertise to build scripts/viruses Script kiddies: Use prewritten attack scripts White hat crackers or Ethical hackers: Break in, may email administrators vulnerabilities, little/minor damage Black hat crackers: Do not inform administrators, may do harm Career Criminals: People who look for payoffs: electronic spies, information brokers (credit card, identity theft) Extortion: Pay us or we will publish your vulnerabilities Cyberterrorists or Hacktivists: Hackers with political motivations Cyberwar: National governments attack IT Espionage: Governments spy on foreign companies to gain economic advantages: Accused: France, Russia, China, South Korea, Germany, Israel, India, Pakistan, US. Ethical Hackers Hacker code of ethics: “Do no damage”. However they approve of: Changing security logs Disabling security protections Reading corporate information Attitude that hacking is beneficial: keeps ‘stupid corporations on their toes’ May have anti-corporation or anti-government leanings Victim classification Targeted Attacks: Organization-specific victim Target-of-Opportunity Attacks: Random attacks to vulnerable organizations Control Methods of Control: Prevent it: Block the attack Deter it: Make attack harder Deflect it: Create an attractive target Detect it: Control after-the-fact Recover: from effects Introduction 6 Control Techniques include: Encryption Hardware Control: Locks, smart card, firewalls, IDS, biometrics Policies & Procedures: Security & ethics training, frequent change of passwords Physical Controls: Guards, backup copies, site planning resisting natural disasters, biometrics Biometrics: Testing human physical characteristics to allow access Software control: Internal program controls: Access/authorization limitations OS & Network controls: Measures to protect users from other users. Independent control programs: Password checkers, virus scanners, IDS Development controls: Quality standards in software development prevent security holes. Principle of Weakest Link: Security is no stronger than its weakest link A system is weakest at its most vulnerable point: people, power supply or unpatched OS. Layered Defense: Complimentary and overlapping controls Necessary to counter incomplete, misused or failed controls Border Router + Perimeter firewall + Internal firewall + Intrusion Detection System + Internal Routers + Policies & Procedures (e.g., Patching) + Audits Introduction 7 Malicious Programs Logic Bomb: Code embedded in a legitimate program that is set to perform a unobvious, unwanted function when certain conditions are met. Example: Contractor inserted logic bomb to disable a system on a certain date unless the contractor had been paid. (Library was dissatisfied with performance.) Example: Login script saves login ID and password to file for later access. Time bomb: Program ‘explodes’ at a specific time. Trapdoor or Backdoor: Secret undocumented entry point into a program used to grant access without normal methods of access authentication Code that recognizes some special sequence of input or by being run from a certain user ID. Can be used for test, maintenance or covert access. Example: Programmer developed trapdoor to debug and test program: view/change parameter values, control execution Example: No default case in switch statement allows entry OR input buffer overflow Example: Send a bogus operating system update to an unsuspecting site. Trojan Horse: Secret undocumented routine embedded within a useful program. Example: Low-privilege user produces a game program and invites the system operator to use in spare time. The program does play a game but also copies password file into the user's file. Game was running in operator's high-privilege mode, allows access to the password file. Example: Creates a program which changes the invoking user's file permissions so that the files are readable by any user. Example: Author induces users to run the program by placing it in a common directory and naming it such that it appears to be a useful utility: e.g. format and print utility. Example: Download pictures from a web page Remote Access Trojan: Attacked computer becomes a backdoor for a hacker, allowing them to do anything they want. Spyware: Program relays private info to distant computer May gather passwords, log-in details, account numbers (e.g., credit card), individual files personal info (web URLs, running applications), etc. Does not make presence known; does not self-replicate Can be downloaded from web site or received via email, Instant Messaging May be tricked into accepting spyware via End User License Agreement (EULA) Introduction 8 Found on bulletin boards. Adware: Delivers advertising to user Provides popup advertisements OR Replaces advertisements on web page with own OR Replaces search queries and responses with own May collect info about user including web usage to send to adware provider Download via web page, email, Instant Messaging, EULA Does not self-replicate Bacteria or Rabbit: Independent program that consumes system resources by replicating itself. Reproduces exponentially, eventually using up all processor capacity, memory or disk space. Example: Loop: create directory; change to directory. Introduction Virus: Code that causes a copy of itself to be inserted into one or more programs. Propagates itself. Performs an unwanted action (=Payload). Spread by unsuspecting users who swap floppies, use internet relay chat, or send emails or programs over a network. Prevalence 90% of viruses spread by email 1 in 200 or 1 in 400 emails contain viruses in mid-2002 Flash virus: Nimda took 22 minutes to reach number 1 position Worm: Independent program which replicates itself and send s copies from computer to computer across network connections. Upon arrival the worm may be activated to replicate. Performs some unwanted function. Replicates itself by: Email a copy of itself to other systems (using email addresses collected from your email system). Remotely executes a copy of itself on another system. Logs on to a remote system as a user and then uses commands to copy itself to the new system. Salami Attack: Merges bits of inconsequential data to yield large sum Example: Collect fractions of $ in interest/tax and put in single account. Covert Channel: Programs leak information Form of spying or sending information: e.g., customer sells stock. Extract data clandestinely by patterns Storage Channels: Existance of file indicates one or zero Example: Report formatting can display information: low order numbers Example: TV show: Yes = 1 cough; No = 2 coughs Example: Loki: Uses ICMP echoes as a tunnel protocol 9 Introduction 10 Viruses Viruses attach to or can be found in: Executable File Macro Files: A macro defines a series of commands that are interpreted Document Virus: Files with data and commands Includes: database, spreadsheet, presentation, written document, pictures Startup macro: Viruses can add a virus macro to the Startup macro (executed upon document/file startup). Data files: Files may list executable programs: STARTUP Virus starts by: Manual startup of a program SETUP program: Initiated by system boot. Email Attachment: Open Me!!! Viruses can be: Transient: Virus runs when program runs and terminates when program terminates Resident: Virus lodges itself in memory and remains active after program termination. Worm and Viruses have same stages: 1. Dormant phase: Optional phase which waits for event, date, presence of another program... Most viruses execute only once 2. Propagation phase: Includes: Search for other system to infect by examining host tables. Establish a connection with the remote system. Copy itself to remote system and cause copy to be run. Spread by email, floppy, file download, any transportable disk Example: May send itself to all in recipient’s address book. 3. Triggering phase: Activates to perform function for which it was intended. May be triggered by a variety of events: e.g. # of copies it has made of itself. 4. Execution phase: Function is performed. Harmless: message on the screen Damaging: destruction of programs and data files. Virus Structure: A virus can be prepended, appended, or embedded into an executable program. Steps may include: Compress the original program. Introduction 11 Prepend itself to the program (most common). When program is run, runs virus then uncompresses the original program and executes. Size of original program same length as program with virus. Types of viruses Parasitic virus: Attaches itself to executable files and replicates when program is executed. Most common Memory-resident virus: Lodges in memory and infects every program that executes. Boot sector virus: Infects a boot record and spreads when a system is booted from the disk containing the virus. Bootstrap loader normally contains bootstrap loader in boot sector, and chains system initialization code to it. Virus stores itself in boot sector, and chains the bootstrap loader and system initialization code to itself. Stealth virus: Designed to hide itself from detection by antivirus s/w. Example: compression to appear same size as original Example: hidden files Polymorphic virus: A virus that mutates with every infection making detection by signature difficult. Example: Uses a random key to encrypt the virus: but virus scanners can look for decryption steps Example: Use jump or harmless instructions to move instructions around Metamorphic virus: Polymorphic and mutates itself with every infection. Macrovirus: Platform-independent, depends on macros Antivirus Approaches: 1. Detect virus/worm 2. Identify virus/worm 3. Remove (all traces of) virus/worm To fight viruses/worms: Use Virus protection software and update regularly Be careful of opening email attachments Email software should not open attachments automatically Extensions may not indicate actual type of document: document type is hidden within start of document May use antivirus software on mail server or use external mail inspection firm Choose your community carefully: Closed communities have less trouble Use commercial software from reliable vendors Test all new software on isolated computers Introduction 12 Prepare a safe boot image Virus Scanners. 1Gen: Signature Scanning: Scanning for fragments of code associated with viruses. 2Gen: Heuristic scanning: Fragments of code generally similar but may differ slightly. 3Gen: Behavior scanning: Memory-resident software identifies a virus by its actions: Defense: Behavior Blocking Software 4Gen: Combines signature, heuristic and behavior scanning May be able to remove viruses. Remembers system file lengths, adds checksums to verify integrity Examples Brain Virus Lodges in upper memory then sets upper memory bound below itself Replaces interrupt vector for disk reads to screen disk read calls. Calls interrupt handler after screening. Places itself in the boot sector and six other sectors on disk Marks sectors as ‘bad’ so they will not get overwritten. Variants erase disks or destroy file allocation table Internet Worm (UNIX) Created by Robert Morris, convicted 1990, received $10K fine & 3 years jail, 400 hours community service Unintended Effect: Denial of service due to resource exhaustion: Worms created more worms (even on same machine) Exploited one of three flaws to spread itself: Password guessing: Compared encrypted passwords with ciphertext in password file Fingerd: Program provides info about system users. Input buffer overflow overflowed onto system stack. Address placed in system stack caused connection to remote shell Sendmail program trapdoor: In debug mode executes a command string instead of sending mail Once system penetrated Send a bootstrap loader to of 99 lines of C code to be executed on target machine Fetch rest of worm, verified by password Stealth: encrypted itself, deleted original version, changed name periodically Resulted in the emergence of emergency response teams