CS423523

1
CSCD 396Essential Computer SecurityFall 2009
Lecture 2 - Security Overview Reading Chapter 1
2
Overview

• Learning Objectives
• Become acquainted with the threats
• Look at popular statistics reports
• Understand why computer security is difficult
• Learn basic security definitions

3
Motivation for Computer Security

• Unless in Security business, attitude
• Why should I care?
• So, why should you care?

4
Motivation for Computer Security

• So, why should you care?
• Threats are real!
• Identity theft, malware infects your computer,
  stolen resources for botnets, credit card theft
• Privacy ... corporate and government threats
• You need to know your right to protect your
  privacy
• Look at a few statistics to motivate the need for
  computer security

5
Symantec Report

• Symantec Notes 2008/2009 trends
• Web based attacks continue to be very popular
• Popular, trusted site with a large number of
  visitors, this can yield thousands of compromises
  from a single attack
• In 2008, huge increase in malware available
• Semantec created many more signatures for their
  anti-malware products

6
Symantec Signatures

• 1,656,227 signatures is 165 increase over 2007

7
More Symantec Stats
Phishing Incentive is largely financial
8
More Symantec Stats

• Once attackers have obtained financial
  information or other personal details
• Names, addresses,and government identification
  numbers
• Frequently sell data on underground economy
• Most popular item for sale ... credit card
  numbers
• Organized groups have figured out ways to use
  those cards to obtain and use those funds

9
More Symantec Stats

• Some groups in underground economy specialize in
  manufacturing blank plastic cards with magnetic
  stripes
• Can be encoded with stolen credit card and
  bankcard data.
• Requires a well-organized level of sophistication
  since the cards are often produced in one
  country, imprinted, and then shipped to countries
  from where stolen data originated

10
More Symantec Stats

• Popularity of items for sale on underground
  economy

11
Trojan Named Gozi

• In 2007, SecureWorks Security Research Group
  discovered new Trojan captured credentials of
  several Internet banking and e-commerce websites
• Trojan, named Gozi, forwarded captured
  credentials to an online database where they were
  being sold to the highest bidder
• SecureWorks Security Research Group uncovered a
  cache of stolen information
• Over 10,000 account records containing
• Online banking user credentials
• Patient healthcare information
• Employee login information for confidential
  government and law enforcement applications
• Further investigation data offered for sale by
  Russian hackers for amount totaling over 2
  million

12
Conficker Worm

• In 2009, new threat emerged, a new worm!
• SRI researcher reported in March 2009,
• Cumulative census of Conficker.A indicates it
  has affected more than 4.7 million IP addresses,
  while Conficker.B, has affected 6.7 million IP
  addresses
• Exploit used by Conficker was known in
  September/2008
• Chinese hackers were reportedly the first to
  produce a commercial package to sell this exploit
  (for 37.80)

13
Conficker Worm

• Exploit causes Windows 2000, XP, 2003 servers,
  and Vista to execute an arbitrary code segment
  without authentication
• Affects systems with firewalls enabled, but which
  operate with print and file sharing enabled
• Patch for this exploit was released by Microsoft
  on October 23 2008
• Why Conficker has been able to proliferate so
  widely may be an interesting testament to the
  stubbornness of some PC users to avoid staying
  current with the latest Microsoft security
  patches

14
CSI/FBI Cybercrime survey

• Annual CSI Study 2008 Cost of Cybercrime is
  still high
• Interesting in that fewer respondents will answer
  the losses questions ... data for this past year
  show a decrease in losses but still up over two
  years ago
• Average annual losses of 289,000 in the past
  year, up from the 168,000 they reported two
  years ago
• 43 of the overall respondents said that they had
  suffered a security incident.
• 18 percent of those respondents who suffered one
  or more kinds of security incident further said
  theyd suffered a targeted attack
• Financial fraud - the source of the greatest
  financial loss

15
AVG Security Software Predictions 2008
1.Web exploits and web-based social
engineering attacks Viruses will continue to
be a threat, also see explosion of exploits
through social engineering and Web 2.0 attacks in
20082. Storm Worm on the rise. Orchestrated
attacks are expected across multiple
platforms.3. Email-propagated viruses. Many
novice users remain unaware of email security
issues and continue to open attachments from
senders they do not know or click on unsafe
hyperlinks.4. Web exploits targeting trusted web
sites5. With increasing adoption of Microsoft's
latest operating system, Vista will become a
bigger and thus a more tempting target for the
bad guys
16
Difficulty of Computer Security
17
General Comments

• Online security mirrors offline
• Motivation and psychology same for online and
  offline world
• Where there is money, there is crime
• Difference between online and offline is
• Harder to track, capture and convict online
  criminals
• Plus, several aspects of online attacks magnify
  their effects

18
Computer Security is Difficult

• Why do you think this is true?

19
Computer Security is Difficult

• Why is this so?
• 1. Automation of attacks
• Tools enable attackers to access thousands of
  computers quickly
• Slammer worm, 2003, infected 75,000 computers in
  11 minutes, continued to scan 55 million
  computers / sec
• Blaster worm, 2003, infected 138,000 in first 4
  hours, and over 1.4 million computers

20
Computer Security is Difficult

• 2. Sophistication of attacks
• Convergence of threats by sophisticated tools
• MPack and other Trojans exhibit trait
• Once installed, they can be used to view
  confidential information that can then be used in
  identity theft or fraud
• They can also be used to launch phishing attacks
  or to host phishing Web sites
• Finally, they can be used as spam zombies

21
Computer Security is Difficult

• 3. Software vulnerabilities are increasing
• Hard for software vendors to keep up with
  vulnerabilities discovered, less than 6 days from
  discovery of vulnerability to creation of exploit

CMU/CERT Software Vulnerabilities http//www.cert
.org/stats/
Vulnerabilities
1995 171
2005 5990
Years
22
Computer Security is Difficult

• 4. Zero Day attacks
• A vulnerability discovered by attacker, not the
  developer. So, zero day grace period. Must
  scramble to find the vulnerability and patch it
• Example
• Hacker released attack code that exploited an
  unpatched vulnerability in Apple' Quicktime week
  after company updated media player to plug nine
  other serious vulnerabilities
• September 18, 2008
• Apple has updated player five times since
  beginning 2008, and fixed more than 30 flaws!!

23
Computer Security is Difficult

• 5. No Borders, No Boundaries
• Attackers can be distant from targets
• Instead of worrying about criminals in your home
  town, worry about all criminals in the world
• And, how do you prosecute people across country
  borders?

24
Computer Security is Difficult

• 5. No Borders, No Boundaries
• Example In 1995, 29 year old hacker from Russia
  made 12,000,000 breaking into Citibank computers
• Most of the Money was later recovered but
  expediting hacker from Russia to stand trial was
  difficult
• He was later apprehended in London and extradited
  to the US to stand trial
• Got three years ... see link at end of lecture

25
Computer Security is Difficult

• 6. Technique Propagation
• Publish attacks so everyone can use them
• Damage can grow exponentially
• Only need a few skilled people, many use their
  exploits and this amplifies the damage of attacks
• So, search in Google for string,
• How to write a virus?
• Comes back with 17,100,000 hits!
• Some good advice on writing RFID viruses

26
Computer Security is Difficult

• 7. Badly Designed Security Controls, users are
  required to make security decisions
• Users do not have enough knowledge to make the
  kind of decisions they are required to make
• How many will click Cancel?

27
Computer Security Defined
28
Definitions

• Information Security
• information security - protecting information and
  information systems from unauthorized access,
  use, disclosure, disruption, modification, or
  destruction
• Terms information security, computer security and
  information assurance are frequently used
  interchangeably
• http//en.wikipedia.org/wiki/Information_security

29
Definitions

• Three common attributes of computer security
• What are they?

30
Definitions

• Three common attributes of computer security
• What are they?
• Confidentiality
• Confidentiality is preventing disclosure of
  information to unauthorized individuals or
  systems
• Example, credit card transaction on the Internet
  
• System enforces confidentiality by encrypting the
  card number during transmission or limiting the
  places where it might appear

31
Definitions

• Integrity
• Integrity means that data cannot be modified
  without authorization
• Integrity is violated
• When an employee (accidentally or with
• malicious intent) deletes important data
  files,
• When a computer virus infects a computer,
• When an employee is able to modify his own
• salary in a payroll database,
• When an unauthorized user vandalizes web
• site

32
Definitions

• Availability
• Information must be available when it is needed.
• High availability systems aim to remain available
  at all times, preventing service disruptions due
  to power outages, hardware failures, and system
  upgrades
• Ensuring availability also involves preventing
  DoS attacks denial-of-service attacks
• See this in following slide ...

33
DDoS Attack Example

• July 21, 2008, Web site for president of Georgia
  was knocked offline by a distributed
  denial-of-service (DDOS) attack
• Another in a series of cyberattacks against
  countries experiencing political friction with
  Russia
• Georgia's presidential Web site was down for
  about a day, starting early Saturday until Sunday
• Network experts said the attack was executed by a
  botnet, or a network of computers that can be
  commanded to overwhelm a Web site with too much
  traffic

34
Another DDoS Attack Example

• February 16th, 2007
• Anti-phishing group, CastleCops.com was knocked
  out by a massive DDoS,
• Volunteer-driven site, run by husband and wife
  team had been coping with on-and-off attacks
  since February 13
• An intense wave that began around 345 PM EST
  completely crippled the server capacity
• CastleCops.com just celebrated its fifth
  anniversary as a high-profile anti-malware
  community
• Comment This site ceased operation Dec. 2008

35
More Definitions

• vulnerability
• A security exposure in an operating system or
  other system software or application software
  component
• Security firms maintain databases of
  vulnerabilities based on version number of the
  software
• If exploited, each vulnerability can potentially
  compromise the system or network
• For a database of common vulnerabilities and
  exposures, visit http//icat.nist.gov/icat.cfm

36
More Definitions

• assets
• In business and accounting, assets are everything
  owned by a person or company that can be
  converted into cash
• Personally, anything that has value
• Assets typically need to be protected, even
  information

37
More Definitions

• exploit
• An exploit is piece of software, a chunk of data,
  or sequence of commands that take advantage of a
  bug, glitch or vulnerability
• Purpose is to cause unintended or unanticipated
  behavior to occur on computer software or
  hardware
• Gaining control of a computer system or allowing
  privilege escalation or a denial of service attack

38
More Definitions

• exploit
• Examples of Current Active Exploits
• Zues Trojan Steals your personal data
• BackDoor-DTN - Trojan that has rootkit
  capabilities
• Allows attacker to gain Administrator privileges
• This backdoor has also password-stealing
  capabilities and can log keystrokes of the system
• Many others ... see viruslist.com link

39
Sum up Definitions

• Attackers look for vulnerabilities in systems
• Typically in software, but others exist
• Once they find a vulnerability, use an exploit of
  some kind to gain access to the system
• Looking for assets that have value
• Information assets are things like SSNs, credit
  card information or other information that lead
  to identity theft
• Other assets are use of computers to create
  botnets

40
References

• Wiki page on Russian Hacker
• http//en.wikipedia.org/wiki/Vladimir_Levin
• Symantec Security Threat Report
• http//www.symantec.com/business/theme.jsp?themeid
  threatreport
• Law Firm IT Manager Shows Gozi Video to Backdoor
  Service
• http//lawfirmit.blogspot.com/2009/04/video-gozi-t
  rojan.html
• AVG Software Threats 2008
• http//www.net-security.org/secworld.php?id5703
• CSI/FBI Annual Computer Security Survey
• http//www.gocsi.com/forms/csi_survey.jhtmljsessi
  onid
• WAEOHNS1JTLLTQE1GHPSKH4ATMY32JVN

41
References Continued

• Zues trojan Nasty exploit
• http//itknowledgeexchange.techtarget.com/security
  -bytes/zeus-trojan-evades-antivirus-software-trust
  eer-says/
• BackDoor-DTN Trojan
• http//www.esecurityplanet.com/alerts/article.php/
  3808996/36-BackDoor-DTN-Trojan-Exploits-Microsoft-
  Flaw-to-Give-Attacker-Admin-Privileges.htm
• VirusList Site for Listing current infections
• http//www.viruslist.com/

42
Questions for Wednesday

• Wednesday, we will have a discussion during
  second part of class
• Want you to look up answers to following
  questions.
• Type some answers including references
• Be prepared to discuss them in class

43
Questions for Wednesday

• Come prepared to discuss
• 1. What is the most common software
  vulnerability?
• 2. Why is this software vulnerability still a
  problem?
• 3. Name a known exploit that happened this last
  year? How extensive was the damage? Who was
  targeted?
• 4. Report on a computer security related problem
  that happened to you or someone else you know
• Cite your references

44
The End

• Next Time Attackers
• Wednesday
• Change Handout on Vista. No Lab this week!!!
• Read material, preparation for the lab