New Surveys (1-3-2001)

1
New Surveys (1-3-2001)

• Poll of 1,400 CIOs by RIH Consulting (U.S.
  Companies with gt 100 employees
• More than 90 are confident with their firms
  network security
• Last August 58 increased spending on security
• Computer Security Institute
• 50 failed to report break-ins (Computer Security
  Institute)
• 265 million in 1999 losses
• PWC Fortune 1,000 firms lost 45 billion
  high-tech firms most vulnerable

http//computerworld.com/cwi/story/02C11992CNAV4
7_STO55809_NLTpm2C00.html
2
Are There Problems?

• Famous sites are hacked continuously
• Example NY Times site hacked 9-13-98
• Site was closed down for hours
• Hackers replaced content with a hacker manifesto
  plus offensive materials
• More public awareness!

WSJ, Sept. 14, 1998
3
Recent Headline (Jan 6, 2001)

• FBI Teams Up with Business to Fight Cybercrime
  Reuters
• FBI now encouraging companies to share info (with
  secure e-mail and web site) about break-ins
• One hacking estimate 1.6 trillion annual loss
  globally
• FBI is working on 1,200 cybercrime cases, up from
  450 in early 1998

4
Recent Case

• Pacific Bells site cracked by 16-year old hacker
• Downloaded info from 200,000 user accounts
• When confiscated, 63,000 were cracked
• Pac Bell sent out recommendation to change all
  330,000 subscribers pws.

Infoworld, 2-24-2000, p. 64
5
Recent Case

• CD Universe
• 300,000 credit card numbers were pulled from
  database
• Faxed CD Universe offering to destroy the numbers
  for 100,000 was refused
• Hacker published 25,000 on his web site
• SSL didnt help!

Infoworld, 2-24-2000, p. 64 Wall Street Journal,
1-11-2000, p. B10
6
Recent Attacks DoS

• Highly-visible sites such as
• Amazon
• eBay
• Yahoo!
• Buy.com
• They werent attacked directly users computers
  were!
• Those computers repeatedly hit the sites

7
Respondents Increases in Cost, Frequency
Type of loss 66 respondents 1997 2000
Theft of information 20.0 million 66.7 million
Financial fraud 24.9 56.0
Virus 12.5 29.2
Insider abuse of Internet access 1.0 28.0
Sabotage data/network 4.3 27.1
Unauthorized insider access 4.0 22.6
Other 33.4 36.0
Total 100.1 265.6
Computer Security Institute and FBI Survey
Infoworld, 5-15-22000, p. 20
8
Security (CERT) Incidents
Source CERTs site
9
Federal Government and Cybercrime

• The Federal Government spends 10 million
  annually on computer crime-related law
  enforcement
• There are 16,000 law enforcement agencies
• Therefore, the Federal Government spends 625
  per agency!

10
Security Breaches Abound

• Perfect Technologies tested 50 sites
• Security breaches in all 50
• In 8 accessed any file
• In 2 executed financial transactions
• In 2 gained full admin control
• Range of time needed 10 minutes to 10 hours

PC World, June 2000, p. 104
11
Gartner Groups Grim Estimate

• 50 to 75 of all commercial sites
• can be hacked.

PC World, June 2000, p. 104
12
Ominous Prediction

• The Gartner Group predicted that there was an 80
  chance that by 2001 a high-profile web site would
  be hacked, resulting in a huge stock price tumble
  for the firm.

Infoworld, 7-19-99, p. 24
13
What does a hacked site contain?

• If you dare, go to
• www.onething.com/archive/index.htm
• for an archive of hacked sites.

14
Some Stats (3-8-99)
Internet World 3-8-99
15
Security

• Is Web-enabling an application less secure than a
  dial-up traditional application?
• Many say NO
• Dial-up access opens up risks, whatever the
  access mechanism
• Planning can help minimize the risks
• However, the risks are huge

16
Hackers

• Have philosophies and culture that probably
  should be understood by the security staff!
• Some discuss curiosity
• Some discuss leverage
• Some reflect on their exploits

17
What a Hacker Does

• Case you (what server, which version)
• Scan you (probe all ports with packets)
• Gain access (exploit weaknesses)
• Live there (capture info or attack others)
• Cover up the tracks (delete or edit logs)
• By Ed Skoudis (The Counter Hack)

18
Some Cautions

• A weak system cant be protected with
  cryptography
• Schneier If you think cryptography can solve
  your problem, then you dont understand your
  problem and you dont understand cryptography.
• User-remembered secrets terribly weaken a system

PC Week, 8-10-98, p. 36
19
A Moving Target

• As larger and larger keys are devised, computing
  power grows to break them.
• Networks of PCs can become a supercomputer.
• Electronic Frontier Foundation has built hardware
  for 250,000 to decrypt 56-bit key in 4 hours.

Infoworld, 7-19-99, p. 24
20
One Tactic

• Hacker calls into known corporate exchange
• Randomly dialing numbers
• Finds employee with pcAnywhere running for remote
  office access
• Gains instant access to entire corporate network

PC Week, 8-24-98, p. 62
21
Top 20 Internet Risks

1. Default Installations
2. Poor passwords
3. Few backups
4. Open ports
5. Lack of packet filtering
6. Poor logging
7. Vulnerable CGI
8. Windows Unicode
9. Windows ISAPI buffer overflows
10. Windows IIS flaws
11. Unprotected shared folders
12. Windows null-session leakage

1. Windows LAN Manager password hash
2. Unix remote procedure call buffer overflows
3. Unix Sendmail vulnerabilities
4. Unix bind weaknesses
5. Unix trust relationships/C code
6. Unix remote print daemon buffer overflows
7. Unix sadmind/mountd buffer overflow
8. Unix default SNMP authenticators

SANS Institute www.sans.org/top20.html
eWeek, Oct 15, 2001, p. 60
22
Virus AttacksRapid Acceleration
Name Year Type Time to Become Most Prevalent Virus Damage
Jerusalem, Cascade, Form 1990 EXE in boot sector 3 years 50 million
Concept 1995 Word macro 4 months 50 million
Melissa 1999 E-mail Word macro 4 days 93-385 million
Love Bug 2000 E-mail VB Script 5 hours gt 700 million
Sircam, Code Red, Nimda Jul, Aug, Sept 2001 E-mail dis-guised EXE hours ?
eWeek, 6-19-2000, p. 68 CERT site