1 NETWORK SECURITY “Novice hack machine, Professional hack people” Dr. Pipat Sookavatana School of Engineering KMITL 2 MALWARE & INTERNET SECURITY 26/10/51 Malware = malicious software Malware and Security 3 Most of the security threatens came form Malware (More than 90%) Why ? User or workforce ◼ Lack of understanding security ◼ Easy to attack Different Types of Malware 4 Virus Spyware Adware Embedded Programs Trojan Horse Browser Hijackers Dialers Spyware Why do people make Malware? 5 Profit A challenge Malice Boredom Business How do I know if I’ve got Malware? 6 Computer is running slower than normal Popups (on or off the internet) New toolbars Home page changes Search results look different Error messages when accessing the web → Using Special tools Virus 7 A virus is a piece of malicious software code written to cause some kind of damage to a computer system or network or even the Internet itself. Viruses spread, similar to their biological namesake, from one machine to another and can spread havoc wherever they go. They are most commonly spread by sharing files with others or through email attachments where they can be set up to send themselves to all the addresses in your email address book. Adware 8 Adware is usually downloaded and installed along with some other program without your knowledge and unlike a virus doesn't spread by itself. Very often you click "OK" without reading the terms and conditions and by doing so you agree to have the files installed. An example is you see a "free" program on offer that you think might be useful and download it without thinking. Even some anti-spyware programs install adware, and the website earns money from the ads that are clicked on. Spyware 9 Spyware is more malicious and evil intentioned and is designed to steal something from you. It can be downloaded by visiting the wrong types of websites or along with other files the same way as adware. Spyware can often be hard to remove as it can continually recreate itself and hide somewhere on your hard drive. What does Spyware look like? 10 What does Spyware look like? 11 What does Spyware look like? 12 What does Spyware look like? 13 What does Spyware look like? 14 26/10/51 What does Spyware look like? 15 What does Spyware look like? 16 What does Spyware look like? 17 What does Spyware look like? 18 What does Spyware look like? 19 How do I get rid of Spyware? 20 Use a legitimate spyware removal program We suggest Spybot Search and Destroy in combination with Microsoft Antispyware (now called Defender) Ad-aware is a good program and is free for home use but is no longer free for educational use. 21 Steps in Spyware Adware and Virus Removal 1. 2. 3. Shutdown and take out your hard disk Plug in to a clean installed antimalware machine Scan the hard disk and remove them How do I prevent Spyware? 22 Be conscious of what you are clicking on/downloading Some pop-ups have what appears to be a close button, but will actually try to install spyware when you click on it. Always look for the topmost right red X. Remember that things on the internet are rarely free. “Free” Screensavers etc. generally contain ads or worse that pay the programmer for their time. The Least Wanted List 23 Weatherbug (GAIN or Claria) Hotbar 180 Search Assistant MyWebSearch Popular Screensavers Comet Cursors A Better Internet (Aurora) Kazaa / Morpheus GameSpy Arcade WhenUSave New.Net Starware Toolbar MySearch Begin2Search 180Solutions Zango CoolWebSearch DyFuCA BonzaiBuddy BargainBuddy Dashbar Gator WeatherScope Best Offers Network Precision Time FunWeb How secure do you need to be? 24 Be Prudent not Paranoid Did you initiate the action? Why is this free? Is the source trustworthy? When in doubt Google it Safer Alternatives 25 Download.com – All programs are adware/spyware free Freesaver.com – Screensavers from this site are safe DO NOT click on ads KFOR or News9 Cleansoftware.org The Bottom Line 26 It is safe to install these programs: Microsoft AntiSpyware (Defender) Spybot Search & Destroy SpywareBlaster SpywareGuard If you are running a different Spyware program contact your Technology Specialist to make sure it is not a rogue 27 EMAIL & INTERNET SECURITY Dr. Pipat Sookavatana 26/10/51 School of Engineering KMITL Email: another methodology 28 send program via email user naively executes attachment or perhaps it is auto-launched in some cases social engineering may be of use ◼ » “hi handsome ...” ◼ » “I love u …” malware uses address book to launch itself at next targets possibly with fake email sender Phishing Phishing 29 Most commonly an Email stating your account Information needs updating Watch for URL’s that are numeric or different from the link you clicked on Best thing to do is to type in the URL and check your account directly without following any links in the Email Many legitimate emails no longer contain a link (Paypal) Phishing Examples 30 26/10/51 Phishing Examples 31 26/10/51 Phishing Examples 32 26/10/51 Phishing Examples 33 26/10/51 Phishing Examples 34 26/10/51 Phishing Examples 35 26/10/51 Define some terms (Must Know) 36 exploit - a piece of code that exploits a software bug leading to a security hole virus - a malware program that somehow rides on the back of another vehicle but doesn’t move itself worm - a malware program that provides its own transit trojan-horse - a malware program that somehow appears as something else entirely Spyware – a malware program that spy on your information Define some terms (Must Know) cont. 37 footprint/signature: some log entry or other trace left behind by an attack signature(in IDS sense): some way to identity a particular virus/worm/exploit attack perhaps use pattern matching to id that a file/email/packet has a known attack in it forensics: the process of figuring out just how an attack occured after the attack succeeded possibly may include collecting evidence for criminal case against criminal defendent 38 Define some terms (Must Know) cont. forensics again: important idea: if we can’t figure out how they got in, how can we keep them out next time? counter-measures: just what the whitehats do to keep the blackhats out or what you do to WATCH for them » on your network or hosts what did you do to make your webserver safer? Honey Pod concept Define some terms (Must Know) cont. 39 define “secure” !! maybe we should all say: “safer” backdoor social engineering attack buffer overflow dictionary attack oh wait, we have the Morris worm for those terms 40 INTERNET SECURITY 26/10/51 Attacking techniques LIST OF WELL KNOWN ATTACK TECHNIQUES Network Security Class Denial of Service Denial of service (DoS) is a type of cyber attack designed to disable, shut down or disrupt a network, website or service. Typically, a malware is used to interrupt or inhibit the normal flow of data into and out of a system to render the target useless or inaccessible for a certain period. Unvalidated Input As a general rule, you should check all input received by your program to make sure that the data is reasonable. For example, a graphics file can reasonably contain an image that is 200 by 300 pixels, but cannot reasonably contain an image that is 200 by -1 pixels. Nothing prevents a file from claiming to contain such an image, however. A naive program attempting to read such a file would attempt to allocate a buffer of an incorrect size, leading to the potential for a heap overflow attack or other problem. For this reason, you must check your input data carefully. This process is commonly known as input validation or sanity checking. Any input received by your program from an untrusted source is a potential target for attack. (In this context, an ordinary user is an untrusted source.) Examples of input from an untrusted source include (but are not restricted to): • text input fields • commands passed through a URL used to launch the program • audio, video, or graphics files provided by users or other processes and read by the program • command line input • any data read from an untrusted server over a network • any untrusted data read from a trusted server over a network (user-submitted HTML or photos, for example) Hackers look at every source of input to the program and attempt to pass in malformed data of every type they can imagine. If the program crashes or otherwise misbehaves, the hacker then tries to find a way to exploit the problem. Unvalidated-input exploits have been used to take control of operating systems, steal data, corrupt users’ disks, and more. One such exploit was even used to “jail break” iPhones. Validating Input and Interprocess Communication describes common types of input-validation vulnerabilities and what to do about them. Broken Access Control At its core, Broken Access Control is simply a scenario in which attackers can access, modify, delete or perform actions outside an application or systems’ intended permissions. Many vulnerabilities can be classified as a form of Broken Access Control, such as when normal users are able to access admin-only features by changing parameters in a URL, viewing or modifying another user’s data or privilege escalation. Broken Authentication and Session Management Broken Authentication and Session Management Vulnerabilities (A2:2017) is an OWASP listed vulnerability that recognizes the risk of credentials due to poor identity and access controls implementation. The Online Web Application Security Project (OWASP) manages a standard awareness database listing the top ten critical security risks to web applications. These are globally recognized threats identified and updated by an open community to guide teams in creating secure applications. Cross Site Scripting (XSS) Flaws Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. An attacker can use XSS to send a malicious script to an unsuspecting user. Buffer Overflow In information security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory locations. Buffers are areas of memory set aside to hold data, often while moving it from one section of a program to another, or between programs. Buffer overflows can often be triggered by malformed inputs; if one assumes all inputs will be smaller than a certain size and the buffer is created to be that size, then an anomalous transaction that produces more data could cause it to write past the end of the buffer. If this overwrites adjacent data or executable code, this may result in erratic program behavior, including memory access errors, incorrect results, and crashes.
