S10: Computer Crime and Security, Part 1

1
S10 Computer Crime and Security,Part 1
C20.0001 Information Technology in
Business and Society
Prof. Dylan Walker
2
Take a Bite Out of (Cyber) Crime
McGruff, crime dog, goes cyber McGruff the crime
dog is jacking in to the Net. In surely the most
convincing sign yet that Internet crime has gone
mainstream, the National Crime Prevention Council
is teaming up - somewhat incongruously - with the
Chief Marketing Officer Council to unleash
McGruff on a new virtual beat. Spurred by
frightening online crime stats, like the fact
that "77 of youths are contacted in some manner
by online predators by age 14," the new McGruff
campaign has picked up backing by big-name tech
firms including Intel, McAfee, Verisign, USA
Today and CNET. To match his new turf, the dog
has tweaked his old line. He now says "Take a
Bite Out of Cyber Crime." The idea is cute, but
the backing is serious. For example, Comcast,
reports the Philadelphia Inquirer will ante up 2
million in televised public service announcements.
CNNMoney - Monday, September 11, 2006
3
Learning Objectives for Sessions 1011

1. Understand some common forms of computer crime
   and their impact on individuals and businesses
2. Recognize some common classes of viruses, how
   they work, how they spread, and their impact on
   individuals and businesses
3. Understand how denial of service (DoS) and
   distributed DoS attacks are implemented
4. Discuss spyware, web defacing, identity theft and
   their consequences
5. Discuss some typical computer security
   precautions
6. Understand the basics of cryptography, symmetric
   key encryption, and public/private key encryption
   (and the applications in digital signatures)

4
Security and Employees

• Most of the press reports are about outside
  attacks on computer systems, but actually,
  companies are in far more danger of losing money
  from employee misconduct than they are from
  outsiders.

5
Security and Outside Threats

• 85 of large companies and governmental agencies
  were broken into during 2003.
• 64 suffered financial loss Only 35 could
  estimate the loss value.
• Fraud examiners Rule of Thumb - Employees
• 10 honest
• 10 steal
• 80 depends on circumstances
• Jupiter Media Metrix Cyber-security issues cost
  businesses almost 25 billion by 2006 up from
  5.5 billion in 2001
• Security products market tripled from 2002-2005
  to 21 billion

6
TECHNOLOGY AS A WEAPON

• Suppose you really wanted to be malicious or
  nasty to someone. What are all the different
  IT-related ways in which you could go about this?
• Now suppose you were potentially the target. How
  would you go about protecting yourself?

7
Types of computer crime
8
Security The Players

• Hackers very knowledgeable computer users who
  delight in having intimate knowledge of systems
  inner workings. Crackers use their knowledge to
  invade other peoples computers.
• White-hat hackers Find vulnerabilities in order
  to fix them, they notify owners about problems
  and holes
• Black-hat hackers Find vulnerabilities and
  exploit them for personal benefit
• Hacktivists They break systems to protest
  targets usually have high symbolic value (e.g.,
  CIA, DoD, etc.)
• Script kiddies / Script bunnies Users who know
  little programming but use ready tools to exploit
  vulnerabilities

9
Hackers Video

• http//www.youtube.com/watch?vR9vDzaBwD_kfeature
  related

10
Viruses

• Program or set of programs
• Written to cause annoyance or damage (200 new
  ones every day)

• Welchia, SoBig, Blaster, Slammer, Code Red, Love
  Bug, Melissa

• Stand-alone viruses can run without a VB
  script.
• Macro viruses infects an app and runs a macro
  or program. (can be an email virus like Melissa)
• Worms Self replicating, unlike viruses do not
  need to attach to an existing program or app.
• Trojan horses (not really a virus but usually
  classified as such) seems to one thing but
  performs another (e.g. install backdoors)

11
Viruses
12
Love Bugs Objectives

• Spread itself by mailing itself to everyone
  through Outlook address book and Internet chat
  software
• Melissa was only for first 50 addresses
• Wipes out files with certain extensions
• .doc, .xls, .wav, .jpg,.
• Puts itself in their place and adds .vbs
• Changes IE Start page and downloads program
  looking for passwords sending them by email to
  the virus originator

13
Other security attacks

• Spoofing - the forging of the return address on
  an e-mail so that the e-mail message appears to
  come from someone other than the actual sender.
• Klez (appears to come from a technical support
  person)
• Key logger, or key trapper, software - a program
  that, when installed on a computer, records every
  keystroke and mouse click.
• Available in trojan horse form so you can hide it
  in email
• e.g., SC-Keylog http//www.majorgeeks.com/download
  4136.html

14
DoS and D-DoS attacks What are they

• Denial-of-service (DoS) attacks
• Attack a machine/server and make it unusable
  (e.g., flood a Web site with so many requests for
  service that it slows down or crashes.)
• Usually the attacker does not get access to the
  system which is being attacked
• Distributed denial-of-service (D-Dos)
• Attack a single machine/server from multiple
  computers (e.g., flood a Web site with so many
  requests for service that it slows down or
  crashes.)
• The term Ping of Death is NOT used to describe
  the D-DoS described in the textbook (i.e., the
  textbook is wrong)
• E-trade, Amazon, Yahoo, Microsoft, Whitehouse

15
Ping of Death

• A ping of death A ping is normally 64 bytes
  many computer systems cannot handle a ping larger
  than the maximum IP packet size, which is 65,535
  bytes. Sending a ping of this size can crash the
  target computer.
• Sending a 65,536 byte ping packet is illegal
  according to networking protocol, but a packet of
  such a size can be sent if it is fragmented when
  the target computer reassembles the packet, a
  buffer overflow can occur, which often causes a
  system crash.

16
Distributed denial-of-service attacks
Sets of company servers are hacked
Sets of company servers are hacked
At a specific time, all hacked servers
ping their clients, but with a wrong reply IP
address
The clients reply to the wrong IP address,
which is the target
The clients reply to the wrong IP address,
which is the target
The target web site is overloaded
17
Spyware

• Software that gathers information about users
  without their knowledge
• Initially created for marketing purposes, and
  called adware.
• Tracks Web surfing or online buying so marketers
  can send you targeted--and unsolicited--ads
• Potential Damage
• Monitor keystrokes (including username,
  passwords, email content) take snapshots of
  screen scan your hard disk.
• Having a number of unauthorized programs running
  on your PC at once makes it sluggish, unstable,
  and, ultimately, more likely to crash.
• Monitors and transmits user activity to someone
  else. Other spyware may have a more malicious
  intent, such as stealing passwords or credit-card
  information.

18
Spyware

• How do we get it?
• Insidious the user often unwittingly installs
  spyware when trying to install something else
• Simply clicking on a banner ad can install
  spyware.
• Worms, which are self-propagating viruses, can
  also carry spyware. They search for machines that
  don't have up-to-date security patches.
• Sometimes spyware is secretly bundled with free
  software you download from the Internet. Sites
  that offer music-sharing, videos, weather data,
  games, and screen savers often are paid to
  distribute adware.
• When you install the software, you might see a
  pop-up window that asks you to agree to certain
  conditions. Most users just click I agree
  without reading the fine print. Often they are
  authorizing the installation of additional
  data-collection and ad-serving software that can
  muck up their PCs.

19
Web defacing
How can defacing affect the firm whose site
changes?
20
Computer CrimeWeb Defacing
21
Computer CrimeWeb Defacing
22
Example of Computer Crime

• Identity theft (Movie Face Off)
• Existed before the web/Internet but became
  widespread only after
• Theft of SSN, drivers license, credit cards
• Financial charges, ruin your credit ratings
• Bill X-rated material on your account
• Engage in illegal activities with your identity
  (E-Bay)
• Phishing
• attempts to fraudulently acquire sensitive
  information, such as passwords and credit card
  details, by masquerading as a trustworthy person
  or business in an apparently official electronic
  communication, such as an email or an instant
  message

23
Security precautions

• Lock up your computers, disconnect them from all
  networks, dont use shared storage media.

• Data backups
• Anti-virus software
• Firewalls (keep outsiders out)
• Access authentication (keep insiders out)
• Encryption
• Intrusion-detection and security-auditing
  software

24
Security precautions
25
Password Precautions
26
Firewall

• Network layer (TCP/IP) packet filtering
• Application layer FTP, Telnet
• Hardening of an operating system involves the
  removal of all non essential tools, utilities and
  other system administration options, any of which
  could be used to ease a hacker's path to your
  systems.

Attack Message
Hardened Client PC
Firewall
Internet
Attacker
Hardened Server With Permissions
Corporate Network
27

• Technical Aspects of Information Security

28
Four Critical Information Security Issues

• Confidentiality
• keeping information from unauthorized usage.
• Authentication
• determining whose information you are receiving
• determining who is on the other end before
  sending information
• Non-repudiation
• preventing repudiation after an agreement by
  dealing with digital signatures
• Integrity Control
• determining whether the information you receive
  is genuine (or unadulterated).

29
Cryptography

• http//www.youtube.com/watch?vXeaZGt8_j1kfeature
  related

30
Cryptology Cryptography and Cryptanalysis

• Two concepts
• Cryptography the art of devising ciphers
• Cryptanalysis the art of breaking ciphers
• Two types of cryptography
• Symmetric Key Algorithm
• One common secret key to encrypt and decrypt
• Public Key Algorithms
• Two set of keys
• Use Public key to encrypt a message
• Use Private key to decrypt
• Diffie and Hellman (1976)
• RSA--Rivest, Shamir, Adleman (1978)

31
Cryptography A Historical Example

• Developers/Users of Cryptology
• Military, Diplomatic Cops, Intelligence, Lovers
• Caesar Ciphers
• shifting letters rightward by k letters
• e.g. right shifting by 1 letter (abc -gt bcd)
• P, Plaintext Cross the river
• C, Cyphertext Dsptt uif sjwfs
• E, Encryption function Right-shift letters by k
  locations
• D, Decryption Left-shift letters by k locations
• k , Key 1
• C E1(P), Cross the river -gt Dsptt uif sjwfs
• P D1(C), Dsptt uif sjwfs -gt Cross the river

32
Cryptography Example Symmetric Key

• Substitution Ciphers
• e.g. mono-alphabetic substitution
• abcdef ghijkl mnopqr stuvwx yz
• qwerty uiopas dfghjk lzxcvb nm
• P (i go to nyu) -gt Ek(P) -gt C (o ug zg fnx)
• Problem Both parties need to know the key

33
Public-Key Cryptography
Alice
Public Directory
Bob
Plaintext 101101010
Bobs Public Key
Ciphertext ????????
Bobs Public Key
UNLOCKING KEY (K) Decryption
LOCKING KEY (L) Encryption
Plaintext 101101010
Ciphertext ????????

• Public key used to encode data
• Private key used to decode data

34
Symmetric Vs. Public Key

• Symmetric key
• ?much faster
• ? key needs to be transmitted or maintained
• Public key
• ? much slower
• ? no transmission of key necessary

35
Digital Signature for Authentication
Bob
Public Directory
Alice
Plaintext 101101010
Bobs Public Key
Ciphertext ????????
This is Bob!!
Bobs Public Key
LOCKING KEY (L) Encryption
UNLOCKING KEY (K) Decryption
Plaintext 101101010
Ciphertext ????????
This is Bob!!

• Private key used to encode data
• Public key used to decode data
• Since the plaintext is locked with Bobs private
  key, it has to have come from Bob

36
KEY ESCROW AND KEY RECOVERY

• What if key(s) are lost?
• What if an employee is away, gets fired, leaves
  for a competitor?
• What if the government wants to listen in?
• legal wiretaps
• espionage
• Key Escrow and Recovery Systems allow to access
  encrypted information without the proper key
• like a Master key or a locksmith
• encryption only as secure as the escrow/recovery
  procedures

37
Some applications of cryptography

• Secure communications
• telephones, faxes and email
• business transactions
• web pages
• Authentication
• software programs
• information
• Electronic Cash
• verifiable, yet anonymous
• smart cards or net cash
• Tamper-proof documents
• drivers licenses
• designs plans
• checks contracts
• Digital rights management
• all digital goods

38
Learning Objectives for Sessions 1011

1. Understand some common forms of computer crime
   and their impact on individuals and businesses
2. Recognize some common classes of viruses, how
   they work, how they spread, and their impact on
   individuals and businesses
3. Understand how denial of service (DoS) and
   distributed DoS attacks are implemented
4. Discuss spyware, web defacing, identity theft and
   their consequences
5. Discuss some typical computer security
   precautions
6. Understand the basics of cryptography, symmetric
   key encryption, and public/private key encryption
   (and the applications in digital signatures)