Information Security 551 Dong Xuan

1
(No Transcript)
2
Lifting the Cover on Spyware

• Alireza Amini
• Debra Czap
• Patricia Keller

3
What is Spyware?

• Programs classified as spyware send information
  about you and your computer to somebody else

4
Hard Drive Information

• Report what programs are installed
• Content of email address book
• Any other information about or on your computer

5
Collected Information

• Visited web sites
• Search terms
• Names of files downloaded
• Information typed into forms

6
Personal Information

• Your name
• Your phone number and address
• Credit card numbers
• Login names and passwords

7
Use of Spyware

• Spouse monitor
• Primary use for a common key logger
• Dueling spouses can install key loggers on their
  machine to spy on each other at the same time!

8
Use of Spyware (cont.)

• Child monitor
• One of the more legitimate uses for a snooping
  program
• For parents concerned about online safety and
  want to monitor their children

9
Use of Spyware (cont.)

• Children spying on parents
• More common than you think
• Todays children are technologically
  sophisticated
• They install key loggers and intercept passwords
  to unlock parental controls

10
Use of Spyware (cont.)

• Boss spying on employees
• Employers should make it very clear that computer
  information is logged and monitored
• Lack of stringent privacy policies and
  corporations run the risk of litigation

11
Use of Spyware (cont.)

• Corporate espionage
• One spyware application on a key machine can
  reveal a wealth of sensitive information, trade
  secrets and contacts
• Businesses should invest in anti-spyware
  technology

12
Use of Spyware (cont.)

• Identity theft
• A public machine is a spyware accident waiting to
  happen
• An application can be installed at an office
  store, university or public access terminal
• Best to play it safe and never put sensitive
  information into a public machine

13
(No Transcript)
14
Keyloggers

• Commercially available
• Spyware are Legal, but how they are used may not
  be legal
• Do not record mouse movement
• Can be fooled by using mouse to cut and paste

15
Keyloggers (cont.)

• Keyloggers Record users every keystroke
• Hardware Small device attached between keyboard
  and computer or inside keyboard.
• Limited memory
• Requires physical access.
• Software Installed on the hard drive.
• Commercially available
• Can transmit information remotely (FTP, email)

16
Hardware Keyloggers

• Requires physical access to install and retrieve
• To prevent
• Secured physical environment.
• Visual check for attacked devices

17
Hardware Keyloggers (cont.)
18
Hardware Keyloggers (cont.)

• First Hardware keylogger legal Case
• Bristol Insurance Company (California)
• Employee spying on his employer
• Violation of Federal Wiretap status?
• California Judge dismissed the case

19
Software Keyloggers

• Commercially available
• Example Lover Spy spy by sending an E-Card
• Installation
• Inside- i.e. Employee
• Outside- i.e. Download or Trojans
• Removal
• May be hard since it can be installed in many
  locations.
• Spyware removal software

20
Software Keyloggers (cont.)
21
Keylogger Cases

• Cases
• 2005- Florida Wife spies on cheating husband
• Broke the Florida law (Illegal interception of
  electronic communication)
• 2004 Russian keyloggers Hit Bank
• 1M Euros stolen in 2004 from bank customers in
  France.

22
Keylogger Cases (cont..)

• Cases Continued ..
• 2003 Boston College student Spies on campus
• More than 100 keyloggers installed on campus
  computers.
• Dismissed from University
• 2003- Kinkos, New York City
• 14 machines had keylogger software installed on
  them

23
Keyloggers and Law Enforcement

• 2001 United States vs. Scarfo
• FBI used software keylogger to capture encrypted
  password
• Search warrant and permission to leave special
  software on suspects computer was obtained

24
Anti Spyware Legislation

• 2004- FTC Commissioner
• Too early for Congress to pass laws
• Instead educate public
• Use existing laws
• Critics
• Problem too hard to solve
• FTC misunderstands the problem

25
Anti Spyware Legislation (cont.)

• Spyware Internet Protection bill
• Enhanced Consumer Protection Against Spyware Act
  of 2005 (S.1004)
• Internet Spyware (I-SPY) Prevention Act of 2005
  (H.R. 744)
• Securely Protect Yourself Against Cyber Trespass
  Act' or the Spy Act' (H.R 29)

26
(No Transcript)
27
Anti-Spyware Complements Traditional Methods
Buffer Overflows IE Exploits Outlook Exploits
Worms Viruses Trojans
Anti-Viruses
Patch Management
Personal Firewall
Spyware Adware Hacker Tools Distributed Denial-of-
Service Zombies Keyloggers Trojans
Anti-SpyWare
Hack in Progress Routed Attack Port Scan
28
More Dangerous, Easier to Launch, Many More
Source CERT, Carnegie Mellon University
29
Software SecurityProActive Prevention

• U.S Department of Homeland Security announced in
  2004 that 95 of software security bugs come from
  19 common and well understood programming
  mistakes that are preventable.

http//niap.nist.gov/cc-scheme/testing_labs.html
30
19 Deadly Sinsof Software Security

• 1) Buffer Overruns
• 2) Format String Problems
• 3) Integer Overflows
• 4) SQL Injection
• 5) Command Injection
• 6) Failing to handle errors
• 7) Cross-site scripting

31
19 Deadly Sins of Software Security

• 8) Failing to protect network traffic
• 9) Use of magic URLs and Hidden Form fields
• 10) Improper use of SSL and TLS
• 11) Use of weak password-based systems
• 12) Failing to store and protect data security
• 13) Information leakage
• 14) Improper file access

32
19 Deadly Sins of Software Security

• 15) Trusting network name resolution
• 16) Race conditions
• 17) Unauthenticated key exchange
• 18) Cryptographically strong random numbers
• 19) Poor Usability

33
Every Wonder how the bad guys got your credit
card number?

• SQL Injection is one method
• Any programming language used to interface with
  database can be affected
• Attacker can gain private personal information or
  sensitive data
• All-too-common code defect that can lead to
  machine compromises and disclosure of sensitive
  data.

34
Sinless Strategies

• Spotting the code defects, code review and
  testing
• Redemption steps
• Extra defensive measures

35
Best Practices

• Policy/Standards/Practices
• Education/Training/Awareness
• Information Security Body of Knowledge
• Certifications

36
Resources

• URL sites
• www.cve.mitre.org
• www.securityfocus.com
• www.osvdb.org
• Netlibrary OSU resource

37
(No Transcript)