Computer Security 2014 –Ymir Vigfusson Some slides borrowed from Dick Steflik, and material from PBS We now understand some of the technical details behind compromise But what about ethics, law and privacy? Real, ongoing dilemmas 2 Scott Moulton, December 1999. Canton, GA Set up a router to connect the police department to E911 Was concerned this would cause security risks, so did a rudimentary port scan of the networks involved Scanned a third party web site, they emailed him back and he explained his action. They call the police and have him arrested for allegedly violating CFAA (1030(a)(5)(B)) ▪ Against those who „intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage” Civil case dismissed before trial, eventually all charges dropped ▪ “Court holds that plaintiff's act of conducting an unauthorized port scan and throughput test of defendant's servers does not constitute a violation of either the Georgia Computer Systems Protection Act or the Computer Fraud and Abuse Act.”—Civ. Act. No. 1:00-CV-434-TWT (N.D. Ga. November 6, 2000) 3 Many states have their own law on computer abuse Some of which can arguably label “ping“ packets as abusive Countries also differ “A 17-year-old youth was convicted in Finland of attempted computer intrusion for simply port scanning a bank. He was fined to cover the target's investigation expenses. ” “An Israeli judge acquitted Avi Mizrahi in early 2004 for vulnerability scanning the Mossad secret service. Judge Abraham Tennenbaum even commended Avi in his ruling:” ▪ In a way, Internet surfers who check the vulnerabilities of Web sites are acting in the public good. If their intentions are not malicious and they do not cause any damage, they should even be praised. „Broad cybercrime laws took effect in 2008 in Germany and England that ban distribution and possession of „hacking tools“ 4 http://bandwidthco.com/whitepapers/netforensics/recon/scan/Finding%20Fences%20in%20Cyberspac e%20Privacy,%20Property%20and%20Open%20Access.pdf Title I Criminalizes the interception of wire or electronic communications and the use or disclosure of such communications when the interception of such communications were known to be in violation of ECPA. Also criminalizes the use of "devices" to intercept communications and the manufacture, distribution, possession or advertising of devices whose main commercial use is the intercept wire or electronic communications. Provides persons whose communications are intercepted in violation of ECPA a civil cause of action. Title II Criminalizes unauthorized access (or access in excess of authorization) of a facility where electronic communications are stored as well as unauthorized disclosure of electronic communication. 5 Borrowed from slides by Dick Steflik Computer Fraud and Abuse Act of 1984 Makes it a crime to knowingly access a federal computer Electronic Communications Privacy Act of 1986 Updated the Federal Wiretap Act act to include electronically stored data U.S. Communications Assistance for Law Enforcement Act of 1996 Amended the Electronic Communications Act to require all communications carriers to make wiretaps possible Economic and Protection of Proprietary Information Act of 1996 Extends definition of privacy to include proprietary economic information , theft would constitute corporate or industrial espionage Health Insurance Portability and Accountability Act of 1996 Standards for the electronic transmission of healthcare information National Information Infrastructure Protection Act of 1996 Amends Computer Fraud and Abuse Act to provide more protection to computerized information and systems used in foreign and interstate commerce or communications The Graham-Lynch-Bliley Act of 1999 Limits instances of when financial institution can disclose nonpublic information of a customer to a third party 6 The case of Albert Gonzales and Stephen Watt 7 Average armed robber will get $2500-$7500 and risk being shot or killed; 50-60% will get caught , convicted and spent an average of 5 years of hard time Average computer criminal will net $50K-$500K with a risk of being fired or going to jail; only 10% are caught, of those only 15% will be turned in to authorities; less than 50% of them will do jail time Prosecution Many institutions fail to prosecute for fear of advertising Many banks absorb the losses fearing that they would lose more if their customers found out and took their business elsewhere ▪ Fix the vulnerability and continue on with business as usual 8 Work from anywhere Minimal risk No meetings or regular work hours International colleagues Compensation: $50,000-$500,000 per month Skill profile: Basic computer security know-how Successful candidates have programming or social engineering skills • http://www.informationisbeautiful.net/visuali zations/worlds-biggest-data-breaches-hacks/ ICELAND “FORTUNE FAVORS THE BOLD“ I WAS LUCKY IF YOU GAINED ACCESS TO A BOTNET, WHAT WOULD YOU DO? IF YOU COULD HACK CRIMINALS, WHAT WOULD YOU DO? IF YOU COULD BREAK IN ANYWHERE, WHAT WOULD YOU DO? IF YOU GAINED ACCESS TO A BOTNET, WHAT WOULD YOU DO? IF YOU COULD HACK CRIMINALS, WHAT WOULD YOU DO? IF YOU COULD BREAK IN ANYWHERE, WHAT WOULD YOU DO? USE YOUR SKILLS TO IMPROVE OUR WORLD void sudo_debug(int level, const char *fmt, ...) { va_list ap; char *fmt2; if (level > debug_level) return; } /* Backet fmt with prog name and a newline to make it a single write */ easprintf(&fmt2, "%s: %s\n", getprogname(), fmt); va_start(ap, fmt); vfprintf(stderr, fmt2, ap); va_end(ap); efree(fmt2); 17 char exten[AST_MAX_EXTENSION]; static int handle_message(struct skinny_req *req, struct skinnysession *s) { case KEYPAD_BUTTON_MESSAGE: struct skinny_device *d = s->device; struct skinny_subchannel *sub; int lineInstance; int callReference; lineInstance = letohl(req->data.keypad.lineInstance); callReference = letohl(req->data.keypad.callReference); if (lineInstance) { sub = find_subchannel_by_instance_reference(d, lineInstance, callReference); } else { sub = d->activeline->activesub; } if (sub && ((sub->owner && sub->owner->_state < AST_STATE_UP) || sub->onhold)) { char dgt; int digit = letohl(req->data.keypad.button); if (digit == 14) { dgt = '*'; } else if (digit == 15) { dgt = '#'; } else if (digit >= 0 && digit <= 9) { dgt = '0' + digit; } else { dgt = '0' + digit; ast_log(LOG_WARNING, "Unsupported digit %d\n", digit); } d->exten[strlen(d->exten)] = dgt; d->exten[strlen(d->exten)+1] = '\0'; } else res = handle_keypad_button_message(req, s); } break; 18 void sighndlr(int dummy) { syslog(LOG_NOTICE,user_dependent_data); // *** Initial cleanup code, calling the following somewhere: free(global_ptr2); free(global_ptr1); // *** 1 *** >> Additional clean-up code - unlink tmp files, etc << exit(0); } /************************************************** * This is a signal handler declaration somewhere * * at the beginning of main code. * **************************************************/ signal(SIGHUP,sighndlr); signal(SIGTERM,sighndlr); // *** Other initialization routines, and global pointer // *** assignment somewhere in the code (we assume that // *** nnn is partially user-dependent, yyy does not have to be): global_ptr1=malloc(nnn); global_ptr2=malloc(yyy); // *** 2 *** >> further processing, allocated memory << // *** 2 *** >> is filled with any data, etc... << 19 /* Log a message to syslog, pre-pending the username and splitting the message into parts if it is longer than MAXSYSLOGLEN. */ static void do_syslog( int pri, char * msg ) { int count; char * p; char * tmp; char save; for ( p=msg, count=0; count < strlen(msg)/MAXSYSLOGLEN + 1; count++ ) { if ( strlen(p) > MAXSYSLOGLEN ) { for ( tmp = p + MAXSYSLOGLEN; tmp > p && *tmp != ' '; tmp-- ) ; if ( tmp <= p ) tmp = p + MAXSYSLOGLEN; /* NULL terminate line, but save the char to restore later */ save = *tmp; *tmp = '\0'; if ( count == 0 ) SYSLOG( pri, "%8.8s : %s", user_name, p ); else SYSLOG( pri,"%8.8s : (command continued) %s",user_name,p ); /* restore saved character */ *tmp = save; /* Eliminate leading whitespace */ for ( p = tmp; *p != ' '; p++ ) ; } else { if ( count == 0 ) SYSLOG( pri, "%8.8s : %s", user_name, p ); else SYSLOG( pri,"%8.8s : (command continued) %s",user_name,p ); } } } 20 /* * Pointer to an array containing all allocated channels. The array is * dynamically extended as needed. */ static Channel **channels = NULL; /* * Size of the channel array. All slots of the array must always be * initialized (at least the type field); unused slots set to NULL */ static u_int channels_alloc = 0; Channel *channel_by_id(int id) { Channel *c; } if (id < 0 || (u_int)id > channels_alloc) { logit("channel_by_id: %d: bad id", id); return NULL; } c = channels[id]; if (c == NULL) { logit("channel_by_id: %d: bad id: channel free", id); return NULL; } return c; 21