Example

advertisement
CSCD 396
Essential Computer
Security
Fall 2009
Lecture 2 - Security Overview
Reading: Chapter 1
Overview
• Learning Objectives
– Become acquainted with the threats
– Look at popular statistics reports
– Understand why computer security is difficult
– Learn basic security definitions
Motivation for Computer Security
• Most people ... have attitude
– Why should I care?
• So, why should you care?
Motivation for Computer Security
• So, why should you care?
– Threats are real!
– Identity theft, malware, stolen resources for
botnets, credit card theft
– Privacy ... corporate and government threats
• You need to know your right to protect your
privacy!!!
– Look at a few statistics to motivate the need for
computer security
Symantec Report
• Symantec Notes 2008/2009 trends
– Web based attacks continue to be very popular
• Popular, trusted sites with a large number of visitors, can
yield thousands of compromises from a single attack
– In 2008, huge increase in malware available
• Semantec, number signatures for their anti-malware
products increased substantially
• Summer 2009
– Michael Jackson death, Farah Fawcett too
• Spammed out hundreds of fake news links resulted in
drivey-by downloads of malware
Symantec Signatures
• 1,656,227 signatures is 165% increase over
2007
More Symantec Stats
Phishing Incentive is
largely financial
More Symantec Stats
• Once attackers have obtained financial
information or other personal details
– Names, addresses,and government
identification numbers
– Frequently sell data on underground economy
– Most popular item for sale ... credit card
numbers
– Organized groups figured out ways to use
those cards to obtain and use those funds
More Symantec Stats
• Some groups in underground economy
specialize in manufacturing blank plastic
cards with magnetic stripes
– Can be encoded with stolen credit card and
bankcard data.
– Requires highly organized level of
sophistication, cards often produced in one
country, imprinted, and then shipped to
countries from where stolen data originated
More Symantec Stats
• Popularity of items for sale on underground economy
Trojan Named Gozi
• In 2007, SecureWorks Security Research Group discovered
new Trojan captured credentials of several Internet banking
and e-commerce websites
http://www.secureworks.com/research/threats/gozi/
– Trojan, Gozi, forwarded captured credentials to online
database - were being sold to the highest bidder
• SecureWorks Security Research Group uncovered a cache
of stolen information
– Over 10,000 account records containing
• Online banking user credentials
• Patient healthcare information
• Employee login information for confidential government and law
enforcement applications
• Further investigation data offered for sale by Russian
hackers for amount totaling over $2 million
Conficker Worm
• In 2009, new threat, a new worm!
• Also ... Downup, Downandup, Conflicker, and Kido
– SRI researcher reported in March 2009,
– “Cumulative census of Conficker.A indicates it
affected more than 4.7 million IP addresses,
while Conficker.B, has affected 6.7 million IP
addresses”
• Exploit used by Conficker known in September/2008
• Chinese hackers were reportedly first to produce a
commercial package to sell this exploit (for $37.80)
Conficker Worm
• Exploit causes Windows 2000, XP, 2003 servers,
and Vista to execute an arbitrary code segment
without authentication
• Spreads itself primarily through a buffer overflow
vulnerability in the Server Service on Windows
computers.
• Worm uses a specially crafted RPC request to execute
code on the target computer
– Affects systems with firewalls enabled, but which
operate with print and file sharing enabled
• Patch for this exploit was released by Microsoft on
October 23 2008
CSI/FBI Cybercrime survey
• Annual CSI Study 2009: Cost of Cybercrime is still high,
http://www.personal.utulsa.edu/~jameschildress/cs5493/CSISurvey/CSISurvey2009.pdf
•
•
•
•
– Interesting in that fewer respondents will answer the
losses questions ... data for this past year show a
decrease in losses but still up over two years ago
– Average annual losses of $234,000 in the past year, up
from the $168,000 they reported two years ago
43% of the overall respondents said that they had suffered a
security incident.
33% said their organizations had supposedly originated
phishing attacks
Financial fraud - the source of the greatest financial loss
> $450,000
AVG Security Software Predictions 2008
1.Web exploits and web-based social engineering attacks
Viruses will continue to be a threat, also see explosion of
exploits through social engineering and Web 2.0 attacks in
2008
2. Storm Worm on the rise. Orchestrated attacks are
expected across multiple platforms.
3. Email-propagated viruses. Many novice users remain
unaware of email security issues and continue to open
attachments from senders they do not know or click on
unsafe hyperlinks.
4. Web exploits targeting trusted web sites
5. With increasing adoption of Microsoft's latest operating
system, Vista will become a bigger and thus a more
tempting target for the bad guys
Return from the Dead Exploits
that come back
• Links to exploits that return again and again
• Gozi
– http://www.trustdefender.com/blog/2010/02/28/gozi-aperfect-example-of-an-older-trojan-re-inventing-itself/
• Storm Worm
– http://community.ca.com/blogs/securityadvisor/archive/201
0/04/26/the-come-back-of-storm-worm.aspx
• Conficker
– http://www.zdnet.com/blog/hardware/making-sense-of-thelatest-conficker-update/4131
Difficulty of Computer Security
General Comments
• Online security mirrors offline
• Motivation and psychology same for “online and
offline” world
• “Where there is money, there is crime”
• Difference between online and offline is
– Harder to track, capture and convict online
criminals
– Plus, several aspects of online attacks
magnify their effects
Computer Security is Difficult
• Why do you think this is true?
Computer Security is Difficult
• Why is this so?
1. Automation of attacks
• Tools enable attackers to access thousands
of computers quickly
• Slammer worm, 2003, infected 75,000
computers in 11 minutes, continued to scan
55 million computers / sec
• Blaster worm, 2003, infected 138,000 in
first 4 hours, and over 1.4 million
computers
Computer Security is Difficult
2. Sophistication of attacks
– Convergence of threats by sophisticated tools
• MPack and other Trojans exhibit trait
– Once installed, they can be used to view
confidential information that can then be used
in identity theft or fraud
– They can also be used to launch phishing
attacks or to host phishing Web sites
– Finally, they can be used as spam zombies
Computer Security is Difficult
3. Software vulnerabilities are increasing
– Hard for software vendors to keep up with
vulnerabilities discovered, less than 6 days from
discovery of vulnerability to creation of exploit
CMU/CERT
Software
Vulnerabilities
Vulnerabilities
http://www.cert.org
/stats/
1995 – 171
2005 – 5990
Years
Computer Security is Difficult
4. Zero Day attacks
– A vulnerability discovered by attacker, not the
developer. So, zero day grace period. Must
scramble to find the vulnerability and patch it
– Example:
• Hacker released attack code that exploited an
unpatched vulnerability in Apple' Quicktime week after
company updated media player to plug nine other
serious vulnerabilities,
September 18, 2008
• Apple updated player five times since beginning 2008,
and fixed more than 30 flaws!!
Computer Security is Difficult
5. No Borders, No Boundaries
– Attackers can be distant from targets
– Instead of worrying about criminals in your home
town, worry about all criminals in the world
– And, how do you prosecute people across
country borders?
– Think this is easy?
Computer Security is Difficult
5. No Borders, No Boundaries
– Example: In 1995, 29 year old hacker from
Russia made $12,000,000 breaking into Citibank
computers
– Most of the Money was later recovered but
expediting hacker from Russia to stand trial was
difficult
– He was later apprehended in London and
extradited to the US to stand trial
– Got three years ... see link at end of lecture
Computer Security is Difficult
6. Technique Propagation
– Publish attacks so everyone can use them
– Damage can grow exponentially
– Only need a few skilled people, many use their
exploits and this amplifies the damage of attacks
– So, search in Google for string,
“How to write a virus?”
– Comes back with 17,100,000 hits!
– Some good advice on writing RFID viruses
Computer Security is Difficult
7. Badly Designed Security Controls, users are
required to make security decisions
– Most users do not have enough knowledge to
make the kind of decisions they are required to
make
– How many will click Cancel?
Computer Security Defined
Definitions
• Information Security
– Information security - protecting information
and information systems from unauthorized
access, use, disclosure, disruption,
modification, or destruction
– Terms information security, computer security
and information assurance are frequently
used interchangeably
http://en.wikipedia.org/wiki/Information_security
Definitions
• Three common attributes of computer
security
– What are they?
Definitions
• Three common attributes of computer
security
– What are they?
1. Confidentiality
• Example?
• Confidentiality is preventing disclosure of
information to unauthorized individuals or systems
• Example, credit card transaction on the Internet
• System enforces confidentiality by encrypting the
card number during transmission or limiting the
places where it might appear
Definitions
2. Integrity
– Integrity means that data cannot be modified
without authorization
– Example?
– Integrity is violated
• When an employee (accidentally or with
malicious intent) deletes important data files,
• When a computer virus infects a computer,
• When an employee is able to modify his own
salary in a payroll database,
• When an unauthorized user vandalizes web
site
Definitions
3. Availability
– Information must be available when it is
needed.
– High availability systems aim to remain
available at all times, preventing service
disruptions due to power outages, hardware
failures, and system upgrades
– Example of violation?
– Ensuring availability also involves preventing
DoS attacks denial-of-service attacks
– See this in following slide ...
DDoS Attack Example
• July 21, 2008, Web site for president of Georgia was
knocked offline by a distributed denial-of-service (DDOS)
attack
• Another in a series of cyberattacks against countries
experiencing political friction with Russia
• Georgia's presidential Web site was down for about a
day, starting early Saturday until Sunday
• Network experts said the attack was executed by a
botnet
Definition of Botnet
http://www.pcmag.com/encyclopedia_term/0,2542,t=bot
net&i=38866,00.asp
Another DDoS Attack Example
• February 16th, 2007
• Anti-phishing group, CastleCops.com was
knocked out by a massive DDoS,
– Volunteer-driven site, run by husband and wife
team had been coping with on-and-off attacks
since February 13
– An intense wave that began around 3:45 PM EST
completely crippled the server capacity
• CastleCops.com just celebrated its fifth anniversary
as a high-profile anti-malware community
• Comment: This site ceased operation Dec. 2008
More Definitions
• Vulnerability
•How would you define it?
• A security exposure in an operating system or other
system software or application software component
• Security firms maintain databases of vulnerabilities
based on version number of the software
–If exploited, each vulnerability can potentially
compromise the system or network
–For a database of common vulnerabilities and
exposures, visit http://icat.nist.gov/icat.cfm
More Definitions
• assets
• In business and accounting, assets are
everything owned by a person or company
that can be converted into cash
• Personally, anything that has value
• Assets typically need to be protected
• Part of the problem is
•Information is not considered assets!
More Definitions
• exploit
• An exploit is piece of software, a chunk of
data, or sequence of commands that take
advantage of a bug, glitch or vulnerability
• Purpose is to cause unintended or
unanticipated behavior to occur on computer
software or hardware
– Gaining control of a computer system or allowing
privilege escalation or a denial of service attack
More Definitions
• exploit
• Examples of Current Active Exploits
– Zues Trojan – Steals your personal data
– BackDoor-DTN - Trojan that has rootkit capabilities
• Allows attacker to gain Administrator privileges
• This backdoor has also password-stealing
capabilities and can log keystrokes of the system
– Many others ... see viruslist.com link in references
Sum up Definitions
• Attackers look for vulnerabilities in systems
– Typically in software, but others exist
– Once they find a vulnerability, use an exploit of
some kind to gain access to the system
– Looking for assets that have value
• Information assets are things like SSN’s,
credit card information or other information
that lead to identity theft
• Other assets are use of computers to create
botnets
References
Wiki page on Russian Hacker
http://en.wikipedia.org/wiki/Vladimir_Levin
Symantec Security Threat Report
http://www.symantec.com/business/theme.jsp?themeid=threatreport
Law Firm IT Manager Shows Gozi Video to Backdoor Service
http://lawfirmit.blogspot.com/2009/04/video-gozi-trojan.html
AVG Software Threats 2008
http://www.net-security.org/secworld.php?id=5703
CSI/FBI Annual Computer Security Survey
http://www.gocsi.com/forms/csi_survey.jhtml;jsessionid=
WAEOHNS1JTLLTQE1GHPSKH4ATMY32JVN
References Continued
• Zues trojan – Nasty exploit
http://itknowledgeexchange.techtarget.com/securitybytes/zeus-trojan-evades-antivirus-software-trusteer-says/
• BackDoor-DTN – Trojan
http://www.esecurityplanet.com/alerts/article.php/3808996/36BackDoor-DTN-Trojan-Exploits-Microsoft-Flaw-to-GiveAttacker-Admin-Privileges.htm
VirusList Site for Listing current infections
http://www.viruslist.com/
Questions for Monday
• Next Monday, we will have a discussion
during second part of class
• Want you to look up answers to following
questions.
• Type or write down some answers
including references
• You will be turning in this paper!
• Be prepared to discuss them in class
Questions for next Monday
• Come prepared to discuss
1. What is the most common software
vulnerability?
2. Why is this software vulnerability still a problem?
3. Name a known exploit that happened this last
year? How extensive was the damage? Who
was targeted?
4. Report on a computer security related problem
that happened to you or someone else you know
Cite your references!!
The End
Next Time: Attackers
– Monday - Book, Chapters 1, 3, 16 (optional 7)
• Wed: There is a Lab this week!!!
Read material, preparation for the lab,
See Lab1 under Labs
Download